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Foreword 



The aim of the ARTS’99 workshop is to bring together researchers and prac- 
titioners interested in the design of real-time and probabilistic systems. It is 
intended to cover the whole spectrum of development and application of specifi- 
cation, verification, analysis and construction techniques for real-time and proba- 
bilistic systems. Being a workshop under the umbrella of the AMAST movement 
(Algebraic Methodology And Software Technology), ARTS is intended to provide 
a forum for the presentation of approaches that are based on a clear mathemati- 
cal basis. Aspects of real-time and probabilistic systems for the workshop include 
(but are not limited to): compositional construction and verification techniques, 
automatic and machine-supported verification, case studies, formal methods for 
performance analysis, semantics, algorithms and tools, and hybrid systems. 

ARTS’99 was organised by the Lehrstuhl fiir Informatik 7 at the University 
of Erlangen-Niirnberg and took place at the Stadtliche Volkshochschule in Bam- 
berg (Oberfranken), Germany from May 26-28, 1999. Previous editions of ARTS 
workshops were organized by the University of Iowa, USA (1993), University of 
Bordeaux, France (1995), Brigham Young University, USA (1996), and General 
Systems Development, Mallorca, Spain (1997). Previous proceedings appeared 
as LNGS 1231 or as books in the AMAST Series of Gomputing. 

The Program Gommittee selected 17 papers from a total of 33 submissions. 
Each submitted paper was sent to three Program Gommittee members, who 
were often assisted by sub-referees. During a one- week discussion via e-mail, the 
Program Gommittee has made the selection of the papers on the basis of the 
reviews. This volume contains the 17 selected papers plus 3 invited papers (in 
either full or abstract form). 

I would like to thank the Program Gommittee members and the sub-referees 
for their efforts. I also like to thank the invited speakers for giving a talk at the 
workshop and for their contribution to the proceedings. Special thanks to Ulrich 
Herzog, Ghris Moog, Teodor Rus, Diego Latella and Ruth Abraham (Springer- 
Verlag) for their support. Without their help, this event would not have been 
possible. 
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Fully Abstract Characterization of Probabilistic 

May Testing 



Bengt Jonsson and Wang Yi 

Department of Computer Systems, Uppsala University 
Box 325, S-751 05 Uppsala, SWEDEN 
{bengt ,yi}@docs .uu.se 



Abstract. In this paper, to develop a refinement relation for proba- 
bilistic and nondeterministic systems, we study a notion of probabilistic 
testing, that extends the testing framework of de Nicola and Hennessy 
for nondeterministic processes to the probabilistic setting. We present a 
model of probabilistic computation trees, which corresponds to the clas- 
sic trace model for non-probabilistic systems. Our main contribution is 
a fully abstract characterization of the may-testing preorder which is es- 
sential for the probabilistic setting. The characterization is given based 
on convex closures of probabilistic computation trees. 



1 Introduction 

To study probabilistic phenomena such as randomization and failure rates in 
distributed computing, many researchers have focused on extending models and 
methods that have proven successful for nonprobabilistic systems to the prob- 
abilistic setting. In the non-probabilistic setting, transition systems are well- 
established as a basic semantic model for concurrent and distributed systems 

(e.g. nniiniiini). 

In the literature, the model of transition systems has been extended to the 
probabilistic case by adding a mechanism for representing probabilistic choice 
(e.g. 121 0 13 O CHI E3 El El)- In the non-probabilistic case there are two 
principal methods for reasoning about systems: to specify and prove properties 
in some logic and to establish a preorder or equivalence relation between two 
transition systems. Both are very useful e.g. in a stepwise development process. 
An abstract transition system model can be analyzed by proving properties in 
some logic. The abstract model can then be refined in a sequence of steps, where 
correctness is preserved in each step by establishing a preorder relation between 
the refined transition system and the refining one. To keep it manageable, it 
is often necessary to decompose the transition system model, implying that 
compositionality is an important property of a preorder. 

In this paper, we use probabilistic transition systems to describe processes, 
which may contain probabilistic and nondeterministic choices independently. 



J.-P. Katoen (Ed.): ARTS’99, LNCS 1601, pp. 1-ESI 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 
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This model is essentially that by Wang and Larsen HQ, the so-called alternating 
model by Hansson and Jonsson 0, the concurrent Markov chain model has 
also been studied by Segala and Lynch EEE3; it can also be seen as a nonde- 
terministic extension of the purely probabilistic automata of Rabin m or the 
reactive model by Larsen and Skou m that do not include any nondetermin- 
istic choice construct. To develop a notion of refinement for probabilistic and 
nondeterministic systems, we study the testing framework of m, that extend 
the work by de Nicola and Hennessy ^ to the probabilistic setting. The idea is 
to define the preorders in terms of the ability of systems to pass tests. Tests are 
simply processes with the additional ability to report success or failure, and so 
this set-up has the advantage of basing the preorder on a notion of “observation” 
(in this case through synchronization), which yields automatically compositional 
preorders. 

Over the past years, a number of models for describing probabilistic aspects of 
transition systems in the form of e.g. Markov chains, Process Algebras, Timed 
Petri Nets, etc. have been proposed 1^ IH| PRl nT> | fTT^ ET7| ITTj 127\ . Logics and 
associated methods for probabilistic systems can be found in e.g. ^EllOllElEI- 
Several (bi)simulation-based preorders between probabilistic systems have been 
investigated, e.g. 0. Segala and Lynch PH and Wang PH present simulation- 
based preorders for probabilistic processes. These are not based on some inde- 
pendent notion of “testing”. Testing-based preorders of probabilistic processes 
have also been studied by Christoff |2j and by Cleaveland, Smolka, and Zwarico 
0 and by Yuen et al. [SI E3- These works consider a pure probabilistic model 
m. and therefore their preorders do not capture the notion of refinement in the 
sense of being “less nondeterministic” . The work which is closest to the current 
one is by Segala m, who define essentially the same testing preorders as in this 
work. Segala does not develop a characterization of the testing preorder in terms 
of objects like “traces” or “trees”, but proves that when defining the composi- 
tional testing preorder, then it suffices to consider a unique “canonical” context: 
the compositional precongruence is obtained by comparing systems composed 
with this canonical context. 

This paper is a continuation of our earlier work nnin!. The purpose is to pro- 
vide a more detailed and also simplified presentation of the technical contents of 
m The characterization theorem presented in this paper is based on a slightly 
different model, that of probabilistic computation trees which is a natural prob- 
abilistic extension of the classic trace model for CSP HD). Our main contribution 
is simplified fully abstract characterization of the may-testing preorder for prob- 
abilistic processes. The characterization is given based on convex closures of 
probabilistic computation trees. In HH we have outlined how a fully abstract 
characterization of must-testing can be constructed in a similar manner. 

The rest of the paper is organized as follows: in Section 2, we present the nec- 
essary definitions for probabilistic transition systems and testing semantics for 
such systems. Section 3 develops the notion of probabilistic computation trees 
extending the classic trace model to probabilistic setting. Section 4 establishes 
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a characterization theorem for the may-testing preorder. Section 5 gives some 
concluding remarks. 



2 Preliminaries 

We consider a model of probabilistic transition systems, containing probabilistic 
and nondeterministic choices as independent concepts. We study a notion of 
testing for these systems where tests may be probabilistic, implying that testers 
are capable of copying internal states. 

A probability distribution on a finite set S' is a function tt : S — > [0, 1] such that 
SsGS 7t(s) = 1. Let Dist{S) denote the set of probability distributions on S. If 
7T is a probability distribution on S and p is a probability distribution on T, then 
7T X p is a probability distribution on S x T, defined by (tt x p)((s, t)) = Tr{s)*p{t). 
A partial distribution on S is a function tt : S ^ [0, 1] such that 

We assume a set Act of atomic actions, ranged over by a and b. 

Definition 1. A (probabilistic) process is a tuple (S, — >,7To), where 

— S is a non-empty finite set o/ states, 

— — > C S X Act X Dist{S) is a finite transition relation, and 

— ttq € Dist{S) is an initial distribution on S. 



We shall use s — ^ tt to denote that (s, a, tt) € — >. □ 

We may view the distributions as probabilistic states and the others as non- 
deterministic states. By definition, a probabilistic process is always alternating 
between probabilistic states and nondeterministic ones. In many cases when it 
is understood from the context, we will identify a distributions that assigns only 
probability 1 to a single state s with the state s. 

To study compositionality, we define a synchronous parallel composition operator 
for probabilistic transition systems, in which two processes V and Q execute in 
parallel while synchronizing on all actions in Act. 

Definition 2. Let V = (S', — >,7To) and Q = (T, — >,po) be two processes. The 
composition ofV and Q, denoted V\\Q is a process {U , — >,Po)> where 

— U = S X T . A pair (s,t) € U is denoted s||t. 

~ — > CUx Act X Dist{U) is defined by 

s||t — ^ n X p iff s — ^ 7T and t — ^ p, 

— Po = ’’"o X Po is the initial distribution. □ 
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Note that the parallel composition operator enjoyes all the desired properties 
such as commutativity and associativity that a parallel composition operator 
in a process algebra should possess. Note also that the class of probabilisitic 
transition systems is closed under the operator. 

An initial state of a process V = (S', — >, wg) is a state s G S such that 7 To(s) > 0. 
A state s is reachable in V if there is a sequence so^i ■ ■ ■ Sn where sq is initial, 
s = Sn, and for each 0 < i < n there is a distribution TTi+i such that Si — A TTi+i 
and 7Ti_|_i(si+i) > 0. A distribution tt G Dist(S) is reachable in V if it is either 
the initial distribution or if s — ^ tt for some a and state s which is reachable in 
V. 

A finite tree is a process (S, — with all states being reachable, in which 
for each state s, there is exactly one reachable distribution tt with 7r(s) > 0, and 
for each noninitial distribution tt there is exactly one s and a such that s — ^ tt, 
and further there is no s and a such that s — > ttq. We shall be concerned with 
an important class of finite trees known as resolutions. 



Definition 3. A finite tree is a resolution if for each state s there is at most 
one action a and distribution tt, such that s — > tt. □ 

In the following, we will use long arrow — > for transitions of processes, and 
short arrow ^ for transitions of resolutions. 

Following Wang and Larsen we define tests as processes that are finite trees 
where the leaves are labeled by “success” . 

Definition 4. A (probabilistic) test is a tuple (T, — >,po,iF), where 

— {T, — *-,po) is a (probabilistic) process 

— J- C T is a set of success-states, each of which is terminal. □ 

In the following, we will assume that tests are finite trees. However note that a 
process is not necessarily a finite tree. 

A test T is applied to a process V by putting the process V in parallel with the 
test T and observing whether the test reaches a success state. 

We define a testing system as the parallel composition of a process and a test. 

Definition 5. Let V = (S', — *-,7ro) be a process and T = (T, — >,po,iF) be a 
test. The composition of V and T, denoted V\\T is a test {U, — ^,Qo,Q), also 
called a testing system, where 

— {U, — >,£»o) = (S, — >,7ro)|l(T, — >,po), 

— G = S X iF is the set of success states. 



□ 
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Note that as tests are finite trees, testing systems will be finite trees. 

Note also that the probabilistic choice of tests correspond to the copying ability 
of testers, which required to characterize observational equivalence for nonde- 
terministic processes as a testing equivalence Q . 

Since each state may have several outgoing transitions in V\\T , we cannot com- 
pute a unique “probability of success” (i.e., reaching a success-state). The prob- 
ability of success depends on the sequence of “choices” between outgoing tran- 
sitions made both by V and by T during the course of executing V\\T. This 
problem disappears if the testing system happens to be a resolution, which how- 
ever is not true in general. We therefore factor V\\T into resolutions, each of 
which represents a sequence of such choices, and which can therefore be assigned 
a unique probability of success. Alternatively, we could imagine that there is a 
scheduler that decides the outcome of the next nondeterministic choice; each 
scheduler would then give rise to a resolution of 7^||T. 

Definition 6. Let V = (S', — >,7To) be a finite tree, and let C = {C,->-,0o) be a 
resolution. Then C is a resolution of V if 

-CCS, 

— c ^ 0 in C implies c — > 0 in V, and 

-00= TTO- n 

Intuitively, a resolution of P is a “subtree” of V which only contains probabilistic 
choices. 

If c is a state of the resolution C, let crc(c) denote the probability of reaching c 
within C. More precisely, if cq ci • • • c„ is a sequence where cq is initial, c = Cn, 
and for each 0 < i < n we have Ci di+i for some o^+i and 0i+i, then we 
define 

CTc(c) = 6»o(co) * 6*1 (ci) * • • • * 0n{Cn) 

A resolution of a testing system can be assigned some probability of success. 
The set of resolutions defines a set of probabilities of success of 7^||T, as follows. 

Definition 7. Let V\\T = {U, — >, go, Q) be a testing system, and let C = {C, 
,0o) be a resolution ofVWT. The expected outcome uj{C) of C is defined by 

^c{s\\t) 

s\\te{gnC) 

We use fl{V\\T) to denote the set of expected outcomes uj{C) of resolutions C of 
V\\T. □ 

We now define a may-preorder of testing, which abstract from the set of possible 
expected outcomes when testing a process 7^ by a test T : may testing considers 
the highest possible expected outcome of 7^||T. 
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Definition 8. Given two processes V and Q, 

- V Qraay Q if : sup n{r\\T) > supt2(Q|iT) □ 

Intuitively, the preorder Qmay refines processes with respect to “safety proper- 
ties”. We can regard the success-states of a tester as states that define when 
the tester has observed some “bad” or “unacceptable” behavior. A process then 
refines another one if it has a smaller potential for “bad behavior” with respect 
to any test. In the definition of V Qmay Q, this means that the maximal proba- 
bility of observing bad behavior of Q should not exceed the maximal probability 
of observing bad behavior of V. 

A useful property of Qmay is that it is compositional in the sense that they are 
precongruences with respect to our parallel composition operator m i.e. for all 

processes P,Q,R, P ^may Q implies P\\R ^may Q\\R- 



3 Probabilistic Computation Trees 



In this section, we study alternative characterizations of the testing preorder 
defined in Definition 0 Our intention is to derive a characterization that is 
similar in spirit to the trace model developed for CSP and CCS. In this model, 
a process is characterized by a set of traces. Each trace represents a behavior 
of a process in a particular context, and therefore the preorder corresponds to 
inclusion between traces, since a process denoted by a larger set of traces has 
more possibilities to interact with its environment. In our probabilistic setting, 
we will try to find the analogies of traces, and characterize processes as sets of 
such objects. 

To define the Qmay preorder, we will define objects that correspond to traces 
in standard CSP GDI. A trace in CSP is just a sequence of actions that can be 
performed by a process from its initial state. It represents a possible contribution 
of the process to a particular execution, e.g., when interacting with a test process. 

To arrive at “traces” in our context, let us consider what is really the contribution 
by a process to an execution. First, the initial distribution of the process is 
“copied” to a number of instances, corresponding to different outcomes of the 
initial probabilistic choice of the tester. From each combination of initial states 
of the process and tester, the testing system synchronizes an outgoing transition 
from the process with an outgoing transition of the tester, the result of such 
a transition will be a distribution, in which the distribution of the process is 
copied into a number of instances, corresponding to different outcomes of the 
probabilistic choice in the tester after the synchronizing transition. 

In summary, the contribution by the process is described by a tree-like structure 
in which the process chooses one outgoing transition for each outcome of a 
probabilistic choice, and in which each probability distribution in a transition is 
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copied a number of times. We are thus lead to the following inductive definition 
of a probabilistic computation tree. 

Definition 9. A Probabilistic Computation Tree (PCT) is a triple <j)= {U, S, uq), 
where 

— U is a finite set of nodes, 

— S is a mapping which assigns to each node in U a finite set of partial distri- 
butions over Act x U . The mapping S is required to induce a tree structure on 
U , where u is an immediate ancestor of v iff v is contained in a distribution 
in S{u), 

— Uq is the root of the tree. □ 

We shall use probabilistic computation trees to characterize the behaviour of a 
process. In general, a process may contain a set of such trees. 



PCT Process 




Fig. 1. Mapping a Probabilistic Computation Tree to a Process where g{u) = it, 
p = /i(a, v), q = n{h{a, u)), and p < q. 



Definition 10. Let V = {S, — >, ttq) be a process and 4> = {U, S, uq) be a proba- 
bilistic computation tree. Then (j> is a probabilistic computation tree ofV if there 
is a mapping g \U ^ Dist{S) such that 



- g{uo) = TTo and 

— if g{u) = IT, then for each distribution pi € S(u) there is an injective mapping 
h : (ActxU) S such that for all {a, v) with pi{a, v) > 0, we have h{a, v) — ^ 
g{v) and pi{a,v) < Tr{h{a,v)) 



□ 
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The above definition has the form of a commuting diagram, which is described 
in Figure ^ Intuitively, the definition states that a probabilistic computation 
tree ^ is a behaviour of a process iff the structure of (j) can be simulated by that 
of V ■ Alternatively, we may view a probabilistic computation tree as describing 
a set of different choices that can be made by a process. Each outcome of such a 
choice is modeled by a distribution over the initial states of the process together 
with the initial actions that are chosen. Since each state s in a distribution tt of 
a process in general has several outgoing transitions, there can be a distribution 
/r for each combination of chosen next transitions from the states in tt. Differ- 
ent combinations of transitions from states in ttq are represented by the initial 
distributions of tp. 



PCT (|) 




Fig. 2. Two example processes with a probabilistic computation tree. 



As an example, in Figure El we show a probabilistic computation tree p oi a, 
process V and a probabilistic computation tree tjj of a process Q. In this case, 
the probabilistic computation trees contain a distribution for each combination of 
“initial transitions” in the corresponding processes. Note that the probabilistic 
computation tree ip is also a probabilistic computation tree of V (which will 
imply that V Qmay Q)- However, there is no obvious mapping from states of Q to 
“simulating” states of V\ for example the right state of Q cannot be simulated by 
any state of V, which is the reason for defining Qmay in terms of the probabilistic 
computation trees derived from a process. 

We shall consider each process as a set of probabilistic computation trees, and 
our final goal is to characterize the may-testing preorder in terms of such trees. 
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We first study the inter relationship between probabilistic computation trees and 
tests. 

The following notion of completion describes how a probabilistic computation 
tree contributes to a resolution for a given test. 



PCT Test 




Fig. 3. Completion from a Probabilistic Computation Tree to a Test where 
p = p{k{p)) > 0 and q = pt{{a, u)) > 0. 



Definition 11. Let (j) = {U,S,uo) be a probabilistic computation tree, and T = 
(T, — >,po,iF) be a test. A completion from <f> to T is a mapping k from U to 
Dist(T) and from reachable distributions of (j) to T such that 

— fc(zio) = po and 

— if k{u) = p, then for each p. € S(u), we have 

• p(k(p)) > 0 and 

• whenever p{{a,u)) > 0, then k{p) — > k{u). □ 

This definition has the form of a commuting diagram, which is described in 
Figure El Note that given a test and a probabilistic computation tree, each 
completion gives exact one resolution. The following definition states how to 
construct the resolution. 

Definition 12. Given a completion k from (j) to T , define the resolution k{(j))(fT) 
as C = (C, 9q), where 

— C contains all pairs in the form 

• (a, u)||fc(/i) such that p{{a,u)) > 0 or 

• •||fc(^) where ■ is a particular element, denoting a terminated computa- 
tion tree. 



10 



Bengt Jonsson and Wang Yi 



— — > contains all transitions of form (a, u)|jfc(^) d{u) where the distribution 
6 is defined by 

• 0((a,u}ljk(fi)) = fi((a,u}) * k(u)(k(fi)) and 

• ^(•II^(m)) = 1 - ImI- 

-6o=e{uo). □ 

Given a resolution C of VWT , we can also extract a probabilistic computation 
tree (j> which represents the contribution of 7^ in C. We can also extract the 
correspondence between f> and T as & completion from (p to T . 

Lemma 1. Let V be a process and T be a test. For each resolution C of V\\T 
there is a probabilistic computation tree p of V and a completion k from (j> to T 
such that C = k{4>){T). □ 

Proof. Let V = (S', — *-,7To), let T = (T, — >,po,iF), and let C = We 

define the probabilistic computation tree p = {U,6,uo) as follows: 

— U contains a state for each reachable distribution of form 7r||p in C, 

— 6 is defined as follows: for each G U and each state t with p{t) > 0, 

the set S^Utt.p) contains a distribution such that it,r',p')) = ^(■s) 

where s is the unique state in S such that s\\t n' x p' is a, transition of C. 

— Uq = • 

We now define the completion k from (/) to T by fc(u,r,p) = P and k(pTr,t) = t. 

We first check that pis a probabilistic computation tree of V according to Defini- 
tionEH Define the mapping g by g{pTT,p) = tt. For a distribution in i5(M,r,p), 
define the mapping g from pairs of form (a, with it,r',p'))) > 0 

to S by g((a, u^'^p'))) = s, where s is such that C has a transition of form 
s||t A 7 t' X p' . This implies that g((a, u,,r',p')) — ^ 9{ut^',p')- By the definition of 
g, we also have u,r'.p'))) = 5(M7i-.p)(5((a, Mtt'.p')))- 

We next check that k is a completion from p to T . Let be a distribution 
in S{utt,p). We immediately get p(t) > 0, implying that /c(u,r,p)(fc(Mir,t)) > 0- B 
pTT,t{{ci, Uti-',p')) > 0 then C has a transition s||t A x p', meaning that t — ^ p', 
i.e., > k{u^f pp. 

Finally, we check that C is isomorphic to k{p){T). Consider the definition of 
k{p){T). 

— The states of k{p){T) are defined to be all pairs of form 

• {a,u)\\k{p) such that p{{a,u)) > 0. We identify {a,u)\\k{p) with the 
state g{{a,u))\\k{p) of C or 

• ■\\k{p). We identify ■\\k{p) with all states of form s||fc(p) which are in C 
but are not of the form g{{a,u))\\k{p) for any a, u, and p. Intuitively, 
these are states that have no outgoing transition in C. 
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— For each u = we find that the distribution 9(u) is equal to tt x p on 
those states of C that have an outgoing transition in C. 

— The transitions of k{(j)){T) are all transitions of form (o, u)||fc(p) ^ 9{u). 
Now, if (a, u)||fc(/i) is a state, then p((a,it)) > 0, implying that that for 
some 7r,t, 7 t' and p' we have p = u = Utt’^p’, which by the definition of 
(j) implies that s||t A tt' x p'. Noting that 0(u,r',p') = tt' x p' concludes the 
proof. 

— Noting that ^(uTro.po) = '^o x Po shows that the initial distribution of fc((/))(T) 

is that of C. □ 



In summary, each resolution in the testing system for a given process and a given 
test corresponds to a probabilistic computation tree of the process and vice versa. 
If a completion is given then the correspondence is one-to-one. Our next lemma 
claims that the expected outcome of such a resolution can be calculated directly 
using the completion. 

First, we need some notation. Let a^(u) denote the probability of reaching u in 
4>. We can define this inductively as follows: 

— Let a^{u) = 1 if M is the root of 4>. 

— If 5{u) contains a distribution p with p(u') > 0, then = p{u') 



Similarly, let crr{t) denote the probability of reaching t in the test T. For a dis- 
tribution p on states of T, let w(p) denote the probability ^ p{t) of a successful 



state in p. 



Lemma 2. Given a probabilistic computation tree (j) = (U,S,uo) and a eomple- 
tion k from <f> to a test T, then the expected outcome ui{k{4>){T)) of k{4>){T) can 
be calculated as 

* ar{k{u)) * u>{k{u)) 



Proof. It follows from definition Q and C3 □ 

That is, the expected outcome of k{4>){T) can be calculated by summing for each 
node uin(f) the probability of reaching the combination of u and its corresponding 
distribution k{u) in the test, and multiplying that probability by the probability 
oj{k(u)) that the test has at that point reached an accepting state. 



4 Characterization Theorem 

In Definition H2I and Lemma Ewe have established a relationship between prob- 
abilistic computation trees of V and resolutions of VWT. This relationship im- 
mediately allows us to conclude that if the probabilistic computation trees of 
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Q are included in those of V then V Qmay Q- The converse, however, does not 
hold. Intuitively, this is due to the following facts. 

1. If and 4>2 are probabilistic computation trees of a process, which have 
the same structure, only with different values assigned to the probability 
distributions, then the expected outcome of a resolution which corresponds 
to “a convex combination” (we will later make this notion precise) of 4>i 
and (f >2 must always lie between the expected outcomes of resolutions that 
correspond to (j>i and 4 > 2 - 

2. Deferring a probabilistic choice restricts the possibilities for a test, and hence 
does not increase the set of possible outcomes. 

3. Making a nondeterministic choice earlier also restricts the possibilities for a 
test, and hence does not increase the set of possible outcomes. 

We define a criterion of “covering a probabilistic computation tree by a convex 
combination of other probabilistic computation trees” which captures these three 
transformations . 

Definition 13. Let (f> = {U, S, uq) and ip = {V, S, vq) be probabilistic computation 
trees. A covering from (j) to ip is a function h from nodes of <p to nodes of ip and 
from reachable distributions of <p to reachable distributions of ip such that 

— whenever fj. € S(u) then h{p) G S{h{u)), 

— whenever p,{{a,u)) > 0 then h{pi){{a,h{u))) > 0, and 

— h{uo) = Vo- □ 



PCT PCT V 



u u 




Fig. 4. Covering between Probabilistic Computation Trees where p = p,{a, v) > 
0 and q = n{h{a,v)) > 0. 
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We illustrate the definition in Figure^ Intuitively, a covering from cj) to tp shows 
how (p can emulate ip when composed with an arbitrary test T in the sense that 
if Hs a completion of ip by T, then loh is a completion of (p by T. This is stated 
in the following lemma. 

Lemma 3. Assume that T = (T, — >,po,tF) is a test, and cp and ip are proba- 
bilistic computation trees. Let I be a completion from ip to T , and h be a covering 
from (p to Ip. Then I o h is a completion from (p to T . □ 

Proof. Let k = l oh. We check the conditions in Definition 

— if /i e 5{u) then if h{pL) G d{h{u)) implying that h{l){u){h{l){p)) > 0 imply- 
ing that k{u){k{fi)) > 0, 

— whenever ir{{a,u)) > 0 we have h{ij.){{a, h{u))) > 0 implying h{l){p.) — ^ 

h{l){u), implying k{p.) k{u), 

— k{uo) = h{l{uo)) = po. □ 



We generalize the notion of covering to set of probabilistic computation trees. 

Definition 14. Assume a probabilistic computation tree ip = {V, 6, vq) and a set 
of such trees {<pi, (p 2 ■ ■ ■ 4>n}- We say that ip is covered by by a convex combination 
of ( or simply covered by) (pi, . . . ,(pn if 

— there are nonnegative real numbers Ai, A 2 . . . A„ with 

— for each (pi, there is a covering hi from (pi to ip 

such that for all nodes v G V we have 

n / 

(Xij,{v) - X! * X! 

^=1 y v—hi{u) 



□ 



To establish our main result, we need the following fact from linear algebra. 

Lemma 4. Assume that x and y\,...,yn are vectors in with nonnegative 
coordinates. If for each vector z in R™ with nonnegative coordinates there is a 
vector Pi such that (x,z) < (yi,z) where (u,v) is the standard inner product, 
then there are nonnegative real numbers Ai,...,A„ with ~ ^ such that 

X < * Vi where the inequality < holds in each coordinate. □ 

We can now state the characterization theorem for 'Qmay 
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Theorem 1. V Qmay Q if o,nd only if each probabilistic computation tree of Q 
is covered by a convex combination of probabilistic computation trees ofV. □ 

Proof. We first treat the if-direction. Let T = (T, — >,po,iF) be a test, and 
consider a maximal resolution T> = (Z3,^,do) of Q\\T . By Lemma QJ there is 
a probabilistic computation tree if of Q such that T> G l{if){T). By assump- 
tion, there are chains (fi, . . . ,(f>n ofV and nonnegative numbers Ai , . . . , A„ with 
^ such that for each i = 1, ... ,n there is a covering hi from (fi to if 
such that for all states v of '0 we have 



Consider a fixed (fi of V . By Lemma 0 if hi{ui)\\t is a state of l{if){T), then 
Ui\\t is a state of k{(fi){T). Thus, by the definition of covering we can conclude 



lows by observing that the resolution Ci can be extended to a maximal resolution 
C'i such that w(C') > uj{Ci). 

We then treat the only if-direction. Assume that V ^may Q- Let if = {V, S, vq) 
be a probabilistic computation tree of Q. We must prove that if is covered by 
a convex combination of probabilistic computation trees of V. The idea of the 
proof is the following. Assume an arbitrary mapping z, : V [0,1] from nodes 
of if to real numbers between 0 and 1. From if and z we will construct a test 
%Ij,z and a completion I from if to 7y,_z such that for each v G V, the probability 
that %jj^z reaches a success state which in l{if){%jj^z) occurs in parallel with v is 
proportional to cr.ij,{v) * z(u). This probability can be expressed as the product of 
the probability a-r^ .^(l{v)) that reaches the distribution that corresponds 
to V, and the proportion uj{l{v)) of success states in the distribution l{v). In 
other words, there is a AT > 0 such that for each v G V, we have 



This implies that the probability that l{if){%p^z) reaches a success state of form 
v\\t for some t is equal to 




n 



^{'D) < ^ Ai * w(Ci) 



Since ^ Ai = 1 there must be an i such that < uj(Ci). The proof now fol- 



^Aa,z(^(^)) = K*z{v) 



a,p{v) * * uj{l{v)) = K * a^{v) * z{v) 



Thus, the probability that l{if){%p,z) reaches a success state is 



io{l{if){%p,z)) 

= K *J2,,^y{a,p{v)*z{v)) 
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Consider now an arbitrary resolution C of ’P||7y,,z- By Lemmanthere is a prob- 
abilistic computation tree oi V and a completion k from (j) to such that 
C = fc((/))(7^_z)- Define the function h by letting v = h{u) iff k{u) = l{v), and by 
letting V = h(/i) iff fc(/i) = l{y). It will turn out that h is a covering from (/) to 
V'- By Lemma|21it follows that k = loh and that the probability that l{4>){%p,z) 
reaches a success state satisfies 



'^-jv—h{u) 

= K*J2 



vGV 






a^{u) *ctt^_^{1{v)) *uj{l{v)) 



v=h{u) 



Thus, by the assumption that V Qmay we get that for any probabilistic 
computation tree ip oi Q and any z : i— > [0, 1] there must be a probabilistic 

computation tree (ft oiV such that 



^(cr,^(z;) *z(u)) < 

v^V v^V 






iV—h{u) 



* z,(y) 



Since z is arbitrary, there must by Lemma 0 be nonnegative real numbers 
Ai, . . . , A„ with -^1 = 1 and chains (fi , . . . , (fn oiV such that for each nonter- 
minal node r; of V’) we have 

n / 

(7^{v) - X! * X! 

^=1 y v—hi{u) 

Since we earlier proved that each such hi is a covering from (fn to ip, the theorem 
is proven. 

It remains to construct the test %p^z- This is done as the tuple (T, — >,po,iF) 
where 



— T consists of 

• one state for each reachable distribution v G DistfAct x V) of ip, and 

• one state ty for each reachable state v of ip, 

— Define l{v) = ty. 

— The test 7^_z has one reachable distribution, defined as l{v), for each v G V, 
which satisfies, either 

• l{v){t') > 0 iff = ty/ for A with A G S{v), and 

• > 0 iff = ty. 

— — > contains a transition ty — ^ l(v) for each reachable distribution k in ip, 
and for each pair (b,v) with v{{b,v)) > 0. 

— Po= K^o)- 

— IF is the set of states of form ty for v G V. 
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The probabilities in are assigned so that for some normalization constant 
K > 0 we have that for each v GV: 

K*2.{v) = crr^ z(t«) = * uj{l{v)) 

where (tt^ ^ (K'T’)) is the probability of reaching the distribution l(v) within 
and oj{l{v)) is simply l{v){ty), i.e., the probability of reaching the success state 
ty within the distribution l(y). 

We should check that the mapping I as defined above is really a completion from 
ip to iZ0,z- We check the conditions in Definition fTTI 

— Let V GV, and if v G S{v). By the definition of k{v) we have k{v){k{v)) > 0. 

— Let v({a,v)) > 0. By the definition of — > we have k{v) — ^ k{v). 

— By definition, k{vo) = po. 

We next check that the function h is indeed a covering from (j) to 'tp. Recall that 
a state of (p is of form where tt is a reachable distribution in V and p is a 

reachable distribution in By the construction of %p,z, the distribution p is 
l{v) for some v G V. Since k{u.,r,i{v)) is defined to be l{v), we have h{u.,r,i{v)) = v. 
This is well defined, since I is injective and ranges over all reachable distributions 
of We check the conditions in Definition El 

— Let /i G S(u). By the proof of Lemmadthis means that p = p-,r,t and u = Utt,p 
with p{t) > 0. By the construction of Tp^z, This means that p = l{v) and 
that t = l{v) where v G S{v). 

— Let p{{a,u)) > 0. By the proof of LemmaOlthis means that p = Pt^p and 
u = Utt'^p', with t p' . By the construction of 7^,z, This means that 
t = l{v) and that p' = l{v) where v{{a,v)) > 0. 

— h{uo) = vq is trivial. □ 



5 Conclusion 

Transition systems are well-established as a basic semantic model for concurrent 
and distributed systems (e.g. E1E1E|). To study probabilistic behaviours, 
various extensions to the model of transition systems have been proposed. One 
of these extensions is probabilistic transition systems (see e.g. |2H El ESI EB] ) in 
which the concept of probabilistic choice is independent from that of nondeter- 
ministic choice. Thus, one can reason about nondeterministic e.g. underspecifi- 
cation and stochastic behaviours in one framework. To developed a semantical 
basis of refinement for probabilistic transition systems, we have studied the no- 
tion of probabilistic testing and the associated compositional testing preorders, 
developed by Wang and Larsen which extends the testing framework of de 
Nicola and Hennessy for nonprobabilistic processes. 
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We have developed a model of probabilistic computation trees. We believe that 
the model of probabilistic computation trees is a natural probabilistic extension 
of the classic trace model for CSP m- Our main contribution is a fully abstract 
characterization of the may-testing preorder. The characterization is given based 
on convex closures of probabilistic computation trees. 
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Abstract. In this paper we show how quantitative program logic m 
provides a formal framework in which to promote standard techniques 
of program analysis to a context where probability and nondeterminism 
interact, a situation common to probabilistic distributed algorithms. We 
show that overall performance can be formulated directly in the logic and 
that it can be derived from local properties of components. We illustrate 
the methods with an analysis of performance of the probabilistic dining 
philosophers m- 



1 Introduction 

Distributed systems consist of a number of independent components whose in- 
terleaved behaviour typically generates much nondeterminism; the addition of 
probability incurs an extra layer of complexity. Our principal aims here are to 
illustrate how, using ‘quantitative program logic familiar techniques from 
standard programming paradigms easily extend to the probabilistic context, and 
that they can be used even to evaluate performance. 

Examples of all our program techniques — compositional reasoning, /i-cal- 
culus treatments of temporal logic and fairness — can be found in the general 
literature 121101 ; the novel aspects of the present work lie in their smooth ex- 
tension via the quantitative logic, and our exploitation of the extended type 
(of reals rather than Booleans) in our formulation of performance operators 
as explicit /x-calculus expressions in the logic. The advantages are not merely 
cosmetic: by making performance and correctness objects of the same kind we 
discover that performance can be calculated directly from local properties of 
components. Locality has particular significance here since in practice it reduces 
system-wide analysis to the analysis of a single component in isolation from the 
others, vastly simplifying arguments. And finally, it is worth mentioning that 
though our primary theme is proof, our estimated performance of the random 
dining philosophers m is still lower than some other published analyses HU. 

Our presentation is in three sections. In Sec. El and Sec. 0 we set out the 
programming model, the quantitative program logic and the /x-calculus formu- 
lations for probabilistic temporal logic and performance. Some properties of the 
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operators are also explained in those sections. In Sec. El we analyse the dining 
philosophers. 

We uniformly use S for the state space and VS for discrete probability dis- 
tributions over S. We also use ‘:=’ for ‘is defined to be’ and for function 
application. We lift ordinary arithmetic operators pointwise to operators be- 
tween functions: addition (-I-); multiplication (x); maximum (U) and minimum 
(n). Other notation is introduced as needed. 

2 Program Logic and Estimating Probabilities 

Operationally we model probabilistic sequential programs dEl (compare also 
0^3) as functions from (initial) state to sets of distributions over (final) states. 
Intuitively that describes a computation proceeding in two (indivisible) stages: 
a nondeterministic choice, immediately followed by a probabilistic choice, where 
the probability refers to the possible final states reachable from a given initial 
state. In this view the role of nondeterminism is to allow an arbitrary selection 
over some range of probability distributions; however the agent making that se- 
lection can only influence the weights of the probabilistic transitions, not their 
actual resolution once those weights have been picked. That behaviour is pre- 
cisely the kind exhibited by an ‘adversary scheduler’ assumed of many distributed 
algorithms HH. We shall discuss schedulers in more detail in Sec.0 

Unlike other authors we shall not use the operational model directly for pro- 
gram analysis. We introduce it only as an aid to intuition and in practice we 
use the quantitative program logic introduced elsewhere [01 E): it is equivalent 
to the operational view and is analytically more attractive. The idea, first sug- 
gested by Kozen [H| for deterministic programs, is to extract information about 
probabilistic choices by considering ‘expected values’. Ordinary program logic 
E] identifies preconditions that guarantee post conditions, in contrast, for prob- 
abilistic programs, the probability, rather than the certainty of achieving a post 
condition is of interest, and Kozen’s insight was to formulate that as the result 
of averaging certain real- valued functions of the state over the final distributions 
determined by the program. Thus, the quantitative logic we use is an extension 
of Kozen’s (since our programs are both nondeterministic and probabilistic) and 
is based on expectations (real- valued functions of the state rather than Boolean- 
valued predicates). We denote the space of expectations by £S{:= S K), 
and we define the semantics of a probabilistic program r as wp.r, an expectation 
transformer El- 

Definition 2.1 Let r: S' — > P(I?S) be a program taking initial states in S to sets 
of final distributions over S. Then the least possibl^ pre-expectation at state s 
of program r, with respect to post-expectation A'vci £S, is defined 

^ This interpretation is the same as the greatest guaranteed pre-expectation used else- 
where US- 
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wp.r.A.s : = {r\F: r.s - A) , 

Jf 

where fp A denotes the integral of A with respect to distribution F □ 

In the special case that 2 I is a {0, l}-valued — a characteristic expectation — we 
may identify a predicate which is true exactly at those states where A evaluates to 
1, and then the above interpretation makes wp.r.A.s the least possible probability 
that r terminates in a state satisfying that predicate. To economise on notation 
we often pun a characteristic expectation with its associated predicate, saying 
that ‘s satisfies A’ when strictly speaking we mean A.s = 1. The context should 
dispel confusion, however. Other distinguished functions are the constants 1 and 
0 evaluating everywhere to 1 and 0 respectively and thus corresponding to true 
and false. We also write A for the negation of A (equivalent to 1 — A). 

By taking the minimum over a set of distributions in Def. l2.ll we are adopting 
the demonic interpretation for nondeterministic choice, and for many applica- 
tions it is the most useful, since it generalises the ‘for all’ modality of transition 
semantics P^. Thus if wp.r.A.s = p say for some real p then all (probabilistic) 
transitions in r.s ensure a probability of at least p of achieving A. For our appli- 
cation to performance, however, upper bounds have more significance: thus we 
define also the dual of wp.r, generalising the ‘exists’ modality p. (Compare also 
upper and lower probability estimates P|.) 

Definition 2.2 Let r: S' — > P(FS) be a program, taking initial states in S to 
sets of final distributions over S. Then the greatest possible pre-expectation at 
state s of program r, with respect to post-expectation Ain £S, is definecOI 

wp.r.A.s := l — wp.r.{l — A).s. 

□ 

The semantics for a (restricted) programming language, sufficient for the 
applications of later sections, is set out in Fig. P It is essentially the same as 
for ordinary predicate transformers P except for probabilistic choice which is 
defined as the weighted average of the pre-expectations of its operands. 

To illustrate the logic we consider the program set out in Fig. El for which 
we calculate the least possible probability that the variable b is set to true after 
a single execution. From Def. 12 . 1 1 that is given by wp. Chooser. {5 = true}, where 
{e = u} denotes the predicate (i.e. characteristic expectation) ‘e is equal to v’. 
From Fig. Cl we see that in order to evaluate the conditional choice in Chooser, 
we need to consider each of the options separately. 

We calculate the ‘6 = false' case first. Denoting equivalence of expectations 
by =, we reason: 

^ In fact fp A is just X)s S A.sxF.s because S is finite and and F is discrete p(. We 
use the J-notation because it is less cluttered, and to be consistent with the more 
general case. 

^ This is equivalent to interpreting nondeterministic choice as maximum, and so 
wp.r.A.s = {uF:r.s- fpA). It is similar to an angelic interpretation for nonde- 
terminism. 
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assignment wp.{x := E).A := A[E/x] 

probabilistic choice wp.{r p(B r').A := p(wp.r.A) + {l—p){'wp.r' .A) 

nondeterministic choice wp.{r\r').A := wp.r.A\l wp.r' .A 

sequential composition wp.{r\r').A := wp.r.{wp.r' .A) 

conditional choice wp.{r B else r').A := Bxwp.r.A +Bxwp.r'.A 

A is in fS' and E is an expression in the program variables. The expression A[E/x] 
denotes replacement of variable ® by i? in A. The real p satisfies 0 < p < 1, and pA 
means ‘expectation A scaled by p’. Finally B is Boolean-valued when it appears in a 
program statement but is interpreted as a {0, l}-valued expectation in the semantics. 

Fig. 1. Probabilistic wp semantics. Nondeterminism is interpreted demonically. 



Chooser := {b ~ true) if {b = true} else (b •.= true)\{b •.= true i/ 2 (Bb •.= false) 

If b is false initially then it can be either set to true unconditionally, or only with 
probability 1/2: the choice between those two options is resolved nondeterministically. 

Fig. 2. Randomised Chooser with a Boolean-valued variable b. 



wp.{{b := true)\{b := true 1 / 2 © b := false)). {b = 
wp.{b := true).{b = true} □ wp.{b := true 1 / 2 © b 



true} 

nondeterministic choice 
:= false). {b = true} 

assignment 



{true = true} □ wp.{b := true 1 / 2 © b := false). {b = true} 



see below 



1 n {wp.{b := true 1 / 2 © b := false). {b = true}) 
in (l/2(wp.(6 := true).{b = true}) + l/2{wp.{b 



probabilistic choice 
false). {b = true})) 
assignment 



l_n {{true = true}/2 + {false = true}/2) 



see below 



in (1/2x1+ 1/2x0) 

1/2 . arithmetic 



For the deferred justifications, we use the equivalences {true = true} = 1 and 
{false = true} = 0. 

A similar (though easier) calculation follows for the ‘b = true’ case, resulting 
in wp.{b := true).{b = true} = 1, and putting the two together with the rule for 
conditional choice we find 



wp. Chooser. {6 = true} = {b = true} + {b = false} /2 , 



( 1 ) 
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implying that there is a probability of at least 1/2 of achieving {b = true} if 
execution of Chooser begins at {b = false} and of (at least) 1 if execution begins 
at {6 = true}. 

In contrast, we can calculate the greatest possible probability of reaching 
}b = false} using Def. 12.21 



wp. Chooser. {6 = false} 

1 — wp. Chooser. (1 — {b = false}) Def. Ell 

1 — wp. Chooser. {b = true} b is Boolean-valued 
1 — ({6 = true} -I- {6 = false} /2) Q 

{b = false}/2 , 



\ 



(2) 



yielding a probability of at most 1/2 if execution begins at {b = false} and 0 if 
it begins at {b = true} — there is no execution from {b = true} to {b = false}. 

In this section we have considered maximum and minimum probabilities using 
wp and wp for a single execution of a program. In the next section we extend 
the ideas to temporal-style semantics. 

3 Computation Trees and Fixed Points 

In this section we consider arbitrarily many executions of a fixed program de- 
noted O- Later we shall interpret it as wp.prog for some program prog, but for 
the moment we adopt an abstract view. (We shall also use Q fo be interpreted 
as wp.prog.) Ordinary program semantics of such systems are computation trees 
fP, with each arc of the tree representing a transition determined by Q- ^ path 
in the tree represents the effect of some number of executions of 0> and is defined 
by a sequence whose entries are (labelled by) the states connecting contiguous 
arcs. When Q contains probabilistic choices, the probabilistic transitions in Q 
generate (sets of) probability distributions over paths of the computation tree: 
probabilities over finite paths may be calculated directly, and they determine 
a well defined probability distribution over all paths @ Our aim for this section 
is, as for the state-to-state transition model, to extract probabilistic informa- 
tion about the paths by interpreting ‘path operators’ (defined with expectation 
transformers) over the computation trees, again avoiding direct reference to the 
underlying path-distributions. 

Standard treatments of tree-based semantics often use /r-calculus expressions 
in the program logic jS| , and it turns out m that such formulations for the tem- 
poral properties ‘eventually’ and ‘always’ have straightforward generalisations in 
the quantitative logic by replacing V and A in those expressions by U and n re- 
spectively. The resulting operators, O and □ (set out in Fig. El), when applied to 
a characteristic expectation A return the probability (rather than the certainty) 
that eventually or always A holds of the paths in the computation tree. 



^ It is usually called the Borel measure over cones |S]. 
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But in the more general setting we can do more: for the reals support a wider 
range of operators (than do Booleans), promising greater expressivity; indeed as 
well as correctness we can also express performance directly within the logic. 
Our first performance measure denoted AA, (also set out in Fig. 0 expresses 
the expected length of the path in the computation tree until predicate A holds. 
In the context of program analysis it corresponds to the expected number of 
(repeated) executions of Q required until A holds. 



least possible eventually 




OA: = 


(fvX 


. AuQA) 


greatest possible eventually 




OA: = 


(fvX 


. AuQA) 


least possible always 




□ A: = 


(nX 


. AnOA) 


greatest possible always 




□ A: = 


(nX 


. AnOA) 


least possible time to A 


AA: = (fj.X ■ 


0 if A 


else 


(i+OA)) 


greatest possible time to A 


AA: = (fj.X ■ 


0 if A 


else 


(i+OA)) 



A is {0, l}-valued. 

Fig. 3. Expectation operators with respect to a distribution over the computa- 
tion tree generated by Q- 



To make the link between the fixed-point expression for A A in Fig. El and 
expected length of the computation path to reach A we unfold the fixed point 
once: if A holds it returns 0 — no more steps are required to achieve A along the 
path; otherwise we obtain a — at least one more step is required to reach 
M A formal justification is given elsewhere IE]. 

In general the /i-calculus expressions correspond to the ‘for all’ or ‘exists’ 
fragments of temporal logic Q according to whether they are defined with Q or 

O- For example OA defined with Q retmrns the maximum possible probability 
that a path satisfies eventually A. Also AA gives an upper bound on the number 
of steps required to reach A. 

The introduction of fixed points requires a notion of partial order on £S, and 
here we use one induced by probabilistic implication ^ (defined next with its 
variants) extending ordinary Boolean implication: 

^ ‘everywhere no more than’ 

= ‘everywhere equal to’ 

^ ‘everywhere no less than’ . 

® An equivalent formulation for AA is {fiX • A x (1_ -|- QX)). We shall use this more 
succinct form in our calculations rather than that set out in Fig. El which is helpful 
only in that it is close to the informal explanation. 
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In fact we define fixed points within certain subsets of f S' because the ex- 
istence of the fixed points are assured in ^aces that have a least or greatest 
element and the whole of SS has neither |j We are careful however to choose 
subsets that suit our interpretation. Thus for least fixed points (fi) we take the 
non-negative expectations: the least element is 0, and our applications — av- 
erage times and probabilities of events — are all the result of averaging over 
non-negative expectations. For greatest fixed points {v) we restrict to expecta- 
tions bounded above by 1: the greatest element is 1_ and we use greatest fixed 
points only to express probabilities which involve averaging over characteris- 
tic expectations, themselves bounded above by 1. We set out the full technical 
details elsewhere m- 



feasibility 



duality 

invariants 



I 

If A ^ 1 then OA = l-n(l-4) 
If / ^ and I ^ A then I ^ OA 



A is {0, l}-valued and I are in £S. 

Fig. 4. Some properties of the path operators 



The first property of Fig. E]are general to expectation operators whereas the 
latter two apply only to fixed points. In particular the invariant law extends the 
notion of ordinary program invariants: an expectation I in £S is said to be an 
invariant of Q provided Q)I ^ I. When / takes arbitrary values, the invariant 
law says that the probability that A always holds along the paths with initial 
state s is at least I.s. This property is fundamental to our treatment of ‘rounds’ 
in the next section. 

We end this section with a small example illustrating A. We use the program 
Chooser set out in Fig. 0 above, (hence Q is interpreted as wp. Chooser), and 
we wish to calculate A{b = true} an upper bound on the expected number of 
times Chooser must be executed until b is set to true. In a simple case where 
there is a probability of success on each execution (specifically here if Chooser 
sets b to true) elementary probability theory implies that the expected time to 
success is the result of summing over a geometric distribution; in contrast the 
calculation below shows how to find that time using our program logic. (In fact 
since Chooser is nondeterministic, probability theory is not applicable, and the 
analysis requires a more general framework such as this one.) We note first that 
A{b = true} evaluated at ‘b = true’ is 0 (for b is already set to true). Thus we 



We also assume continuity of the operators concerned M- 
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know that A{6 = true} = q{b = false}, for some non-negative real, q which we 
must determine (where recall that we use qA to mean ‘A scaled by q’). With 
that in mind, we reason 



A{6 = true} 



definition A; Fig. 0and footnote 5 



{b = true}x{l + wp. Chooser. (A{6 = true})) 
{b = /aZse}x(l -I- wp. Chooser. {q{b = false})) 



A{ti = true} = q{b = false} 



see below 



{b = /aZse}x(l -I- q{wp. Chooser. {b = false})) 
{b = false}x{l + q{b = false}/2) . 



from O 



For the deferred justification we are using the scaling property of wip. Chooser 
which allows us to distribute the scalar q. |j 

Now evaluating at ‘5 = false' we deduce from the above equality that 



q=l + q/2 , 

giving q = 2, and (unsurprisingly) an upper bound of 2 on the number of execu- 
tions of Chooser required to achieve success. 



4 Fair Adversary Schedulers and Counting Rounds 

We now illustrate our operators above by considering Rabin and Lehmann’s 
randomised solution m to the well-known problem of the dining philosophers. 
The problem is usually presented as a number of philosophers Pi, ..,Pn seated 
around a table, who variously think (A) or eat (E). In order to eat they must 
pick up two forks, each shared between neighbouring philosophers, where the Vih 
philosopher has left, right neighbours respectively Pi-i and (with subscripts 
numbered modulo N) . The problem is to find a distributed protocol guaranteeing 
that some philosopher will eventually eat (in the case that some philosopher 
is continuously hungry). Randomisation is used here to obtain a symmetrical 
solution in the sense that philosophers execute identical code — any non-random 
solution cannot both guarantee eating and be symmetrical . 

The aim for this section is to calculate upper bounds on the expected time 
until some philosopher eats, and since we are only interested in the time to 
eat we have excluded the details following that event. The algorithm set out in 
Fig. 0 represents the behaviour of the Fth philosopher, where each atomic step is 
numbered. A philosopher is only able to execute a step provided he is scheduled 
and when he is, he executes exactly one of the steps, without interference from 

^ Scaling is a standard property of expectation operators from probability theory m 
which also holds here. Others are monotonicity and continuity. In fact only distri- 
bution of addition fails: nondeterminism forces a weakening of that axiom; compare 
suplinearity of Fig. 0 
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the other philosophers. Fig.|3then describes a philosopher as follows: initially he 
decides randomly which fork to pick up first; next he persists with his decision 
until he finally picks it up, only putting it down later if he finds that his other 
fork is already taken by his neighbour. We have omitted the details relating to 
the shared fork variables, and for ease of presentation we use labels T,E,l,r 
etc. to denote a philospher’s state, rather than the explicit variable assignments 
they imply. Thus, for example, if Pi is in state Li or Pi-i is in state Ri-i, it 
means the variable representing the shared fork (between Pi and Pi-i) has been 
set to a value that means ‘taken’. The distributed system can now be defined as 
repeated executions of the program |i<i<ArPi, together with a fairness condition, 
discussed next. 



1. if Ti — > b 1/2© ri 




2. 1 {li V ri) — > if [li A ^i?i_i) 


^ Li 


1 {li A Ri-i) 


-> li 


1 (ri A -iLi+i) 


^ Ri 


1 {r i f\ Li-|_i ) 


ri 


fi 




3. 1 {Li V Ri) —> if {Li A -iRi-i 


) ^ Ei 


1 {Li A Ri-i) 


^ Li 


1 {Ri A “iLi+i, 


) ^ Ei 


1 {Ri A Li+i) 


Ri 



fi 

4. 1 (Li VRi) ^ Ti 

fi 

The state Ti represents thinking, h (n) that a philosopher will attempt to pick up the 
left (right) fork next time he is scheduled, Li (Ri) that he is holding only the left (right) 
fork, Li (Ri) that he will put down the left (right) fork next time he is scheduled and 
Ei that he eats. The nse of state as a Boolean means ‘is in that state’; as a statement 
it means ‘is set to that state’. 

Fig. 5. The i’th philosopher’s algorithm mg. 



A fundamental assumption of distributed systems is that of a scheduler. 
Roughly speaking it is the mechanism that manages the nondeterminism in 
\i<i<NPi, and its only constraint here is fairness: if a philosopher is continuously 
hungry (or ‘enabled’) then he must eventually be scheduled (and for simplicity 
we assume that philosophers are either enabled or eating). That assumption, of 
course, means that counting atomic steps is pointless — any particular philoso- 
pher may be ignored for an arbitrary long interval whilst other philosophers are 
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scheduled. Instead we count rounds, an interval in which each philosopher has 
been scheduled at least once — and fairness guarantees that rounds exist. 

However there is a problem: recall that the tree semantics for a distributed 
system is composed of paths (denoted by t) in which arcs represent the effect 
of atomic steps, therefore interpreting the performance measure A directly over 
that tree would not estimate rounds. We must do something else: we construct 
a new tree, one in which Q is associated with the effect of a round rather than 
an atomic step, and we interpret A over that. We map each path t (a sequence 
of states with successors determined by atomic steps) to t' (a sequence of states 
with successors determined by rounds) as follows: first t is divided into contiguous 
subsequences, each one containing a round (we have omitted the precise details of 
how this can be done); t' is the projection of t onto the states at the delimitersH 
Now interpreting A over the resulting tree will correctly provide an estimate of 
numbers of rounds rather than atomic steps; however we require more, namely 
a bound that dominates all possible such interpretations. 

We assume some program Round which represents the overall effect of a 
round — it is the sequential composition, in some order, of some number of 
atomic steps (where each step is determined by some Pi in this case) . To abstract 
from that order and how rounds are delimited, we assume no more about Round’s 
behaviour except the following: we require Round to terminate and that each 
Pi appears somewhere in the sequential composition. The trick now is to specify 
those requirements (i.e. to define ‘round’) in a way that allows promotion of 
atomic-step properties to round properties: we use the technique of invariants. 

local invariants If / is in £S and wp.{\i<i<NPi)-I ^ I then 

wp. Round./ ^ / . I 

fair progress If I,P in £S are both local invariants and [ ^ 

there is some i such that wp.Pi.I ^ /' then 
wp. Round./ ^ /' , 

where an invariant / is said to be local if wp.Pi.I ^ / for all i, equivalently 
if wp.{\i<i<]\[Pi).I ^ I. This technique is very powerful, for although local 
invariants may be difficult to find, they are easy to check. 

The fair progress property is specific to computations in the context of fair 
execution. It states that if an invariant I' holds initially, and if from within that 
invariant some (helpful) Pi establishes a second invariant /, then I must hold 
at the end of the round — fairness must guarantee that Pi executes at some 
stage in the round, and no matter how the round begins if I' holds initially, 
invariance ensures that it holds at that stage; after which the now established 
invariant I continues to hold, no matter how the round is completed. The local 
invariant property is a special case of that, and in fact implies termination of 
Round. Termination is specified by the property wp.Round.l ^ 1 which follows 
from the local invariant rule with I taken to be 1. 



This is effectively sequentially composing the atomic steps. 
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The problem of counting rounds now becomes one of interpreting Q 
Sp. Round in the definition of A, but then only using properties 10) to deduce 
properties of wp. Round (hence of Sp. Round, Def. 12 . 211 . With those conventions 
we can specify the expected time to the first eating event as A(3i • Ei), and our 
next task is to consider how in general to estimate upper bounds on l\A, for 
some using only local invariants. 

We introduce a second performance operator set out in Fig. 0 which counts 
steps in a different way. Informally ^A counts the expected number of times 
that A holds ever along paths in the computation tree. If A holds in the current 
state on a path, it is deemed to be one more visit to A; similarly unfolding the 
fixed point once reveals a corresponding ‘1+’ in that case0The new performance 
operator is related to AA by observing that for characteristic A the number of 
times A holds on the path is at least as great as the length of the path until A 
holds. Other properties of # are set out in Fig.[?l (Note that with this notation 
we have returned briefly to the abstract notions of Sec.|3]) 

The connection between performance and local invariants is to be found in 
the visit-eventually rule. It generalises a result from Markov processes jS] which 
says that the expected number of visits to A is the probability that A is ever 
reached (AA) conditioned on the event that it is never revisited (probability 
1— p). Its relevance here is that an upper bound on OA/(l—p) (and hence on 
=ffA) may be calculated from upper bounds on both AA and both of 

which are implied by lower bounds on local invariants, and the next theorem 
sets out how to do that. 

least possible visits to A #A: — {fiX • (QN) if A else A + QN) 

greatest possible visits to A ^A: = {fiX • (O^) if A else A + O^) 



A is {0, l}-valued. 



Fig. 6. The expected number of visits. 



Theorem 4.1 Consider a distributed system defined by processes Pi,...,Pn 
arbitrated by a fair scheduler. Given an expectation A and local invariants J, I' 
such that A ^ 1—/ and /' ^ wp.Pi.I for some i, then the maximal possible 
number of times that A holds (after executions of Round) is given by 

l/(l-g) , 

® A more succinct form for is given by {fj,X • A + QN). 
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suplinearity 



#{A + B)^#A + #B 



visit-reach 



AA ^ ^A 
with equality if A ^ 



visit-eventually 



#A ^ AA/(J-p) , 
where p: = (Us: A • Q{OA).s). 



A is {0, l}-valued. We write (Us: A • f.s) for the maximum value of f.s when s ranges 
over the (predicate) A. In the visit-eventually rule, p is the greatest possible probability 
that A is ever revisited; if p = 1 that upper bound is formally infinite. 

Fig. 7. Some properties of expected visits 



where q: = 1 — (fls : A • I' .s) and Q is defined to be wp. Round in the definition 
of#. 

Proof: Using the notation of the visit-eventually property of Fig. Q we see 

that an upper bound on #A is given by upper bounds on both <>A and p. 
By appealing to feasibility (Fig. ^ and arithmetic we deduce immediately that 
#j 4 ^ 1/(1— g) for any q > p. All that remains is to calculate the condition on 
q. We begin by estimating an upper bound for #p.Round.(OA). 



wp. Round. (OA) Fig. Q 

monotonicity, footnote 7; A ^ 1 — I 

^ wp. Round. (0(1 — /)) 

= wp. Round. (1 —□(!_— (1 — /))) duality, Fig. 0 

= wp.Round.(l_ — FI/) arithmetic 

^ wp.Round.(l_ — I) 1 ^ invariants. Fig. 0 

= 1 — wp. Round./ Def. 

^ ^ — I' , fair progress, 0 

where in the last step we are using our assumption that there is some philosopher 
such that wp.Pi.I ^ /' for local invariant /'. Next we bound q\ 



q>p 

if q> (Us:A' wlp.Round(OA).s) 

if <7 > (Us: A • (1 — /').s) 

if <7 > 1 — (ris: A • I' .s) , 



definition p. Fig. [ 7 ] 

0 

arithmetic 



as required. 



□ 



Finally we are in a position to tackle the dining philosophers: our principal 
tools will be Thm. H. II and suplinearity of Fig. 0 — the latter property allows 
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the problem to be decomposed, making application of Thm. rTTI easier (since it 
is then applied to fragments of the state space rather than to the whole state 
space). Deciding how to choose an appropriate decomposition often depends on 
the probabilistic invariant properties, and we discuss them next. 

Ordinary program invariants are predicates that are maintained; probabilistic 
invariants, on the other hand, describe predicates that are maintained only with 
some probability, and we end this section by illustrating one such for the dining 
philosophers. 

Consider first the case first when two philosophers {Pi and Pi+i) are in the 
configuration (^iVLi)A(ri+i Vi?i+i). Informally we reason that the configuration 
is maintained unless one of Pi or Pi+i eats: other philosophers cannot disturb 
it, and inspection of Pi shows that li can only evolve to Li, and that Li can 
only evolve to Ei (since Pi+i is in state r^+i V More generally we reason 

that A-. = (3i • {U V Li) A (r^+i V Ri+i) V Ei) is always maintained, if it is ever 
established. 

Next, to factor in probability, we look for a property that is only maintained 
with some probability. Again we consider the neighbours Pi and Pi+i but this 
time for the the configuration {li V Li) A T^+i. As before the configuration can 
only evolve to eating, unless Pi+i is scheduled, and when it is the state r^+i (and 
thus A) is established with probability 1/2; hence defining A' to be 



{3i- {hV L,) AT,+i) AA , 



we argue that if AV A' ever holds, then it must continue to hold with probability 
at least 1/2. Expressed in the logic, we say that that A+A'/2 is a local invariant. 
Checking formally that wp.Pi.{A + A' /2) ^ A + A'/2 confirms that fact. (Notice 
that the invariants are expressions over the whole state space, however we only 
need check invariance with respect to a single philosopher.) 

Finally if we define I: = A and /': = A + A'/2 the remarks above imply that 
Thm. Prri nrovides an upper bound of 2 on #A'. Intuition tells us that the bound 
must be finite since from probability theory |S| A' cannot be visited infinitely 
often if there is always a probability of 1 /2 of reaching an ordinary invariant A, 
disjoint from A'. 

Calculations such as the above are required to find individual upper bounds 
on the return visits to a collection of predicates whose union implies the whole 
space. The particular invariant properties of the algorithm provide the best guide 
for choosing a decomposition. For example, if J is a (standard) local invariant 
and J is a predicate disjoint from I, and if Q).Ls = p for all s in J, where 
0 < p < 1 then I + pj is also a (probabilistic) invariant. Thus / and J might 
form part of a suitable decomposition. (We would put /':=/ + pJ to deduce 
a maximum of 1/(1— p) visits to J.) But whatever the decomposition, the most 
important feature of this method is that once invariants are discovered, verifying 
that they satisfy the properties of Thm. EH is straightforward in the logic. 

The precise decomposition used for the analysis of the dining philosophers 
follows that of the correctness proof (appearing elsewhere gives a 
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total expected time to first eating of no more than 33 (compare 63 of The 
details of those calculations are set out elsewhere m- 

5 Conclusion 

In this paper we have shown how ordinary correctness techniques of distributed 
algorithms can be applied to probabilistic programs by using quantitative pro- 
gram logic, and that the methods apply even in the evaluation of performance. 
This treatment differs from other approaches to performance analysis of proba- 
bilistic algorithms HHO][^ in that we do not refer explicitly to the distribution 
over computation paths; neither do we factor out the nondeterminism as a first 
step nor do we analyse the behaviour of the composed system: instead we use 
compositionality of local properties thus simplifying our formal reasoning. Other 
approaches using expectations 0 do not treat nondeterminism and thus are 
not applicable to distributed algorithms like this at all. 
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Abstract. Lossy channel systems (LCSs) are models for communicating 
systems where the subprocesses are linked via unbounded FIFO chan- 
nels which might lose messages. Link protocols, such as the Alternating 
Bit Protocol and HDLC can be modelled with these systems. The decid- 
ability of several verification problems of LCSs has been investigated by 
Abdulla & Jonsson |A.)93I IA.I94) . e.g. they have shown that the reach- 
ability problem for LCSs is decidable while LTL model checking is not. 
In this paper, we consider probabilistic LCSs (which are LCSs where the 
transitions are augmented with appropriate probabilities) as introduced 
by jl N97) and show that the question of whether or not a linear time 
property holds with probability 1 is decidable. More precisely, we show 
how LTL\x model checking for (certain types of) probabilistic LCSs can 
be reduced to a reachability problem in a (non-probabilistic) LCS where 
the latter can be solved with the methods of jA.I9.3j n 



1 Introduction 

Traditional algorithmic verification methods for parallel systems are limited to 
finite state systems and fail for systems with an infinite state space, such as real- 
time programs with continuous clocks or programs that operate with unbounded 
data structures or protocols for processes that communicate via unbounded chan- 
nels. Typically, such systems are modelled by a finite state machine that specifies 
the control part. The transitions between the control states are equipped with 
conditions (e.g. about the values of a counter or a clock or about the messages in 
a channel) . The behaviour of such a system is then given by a (possibly infinite) 
transition system whose global states consist of a control state and an auxiliary 
component whose values range over an infinite domain (e.g. the interpretations 
for a counter or a clock or the contents of certain channels) . Even a wide range 

* The second author is sponsored by the DFG-Project MA 794/3-1. 

^ Here, LTL\x denotes standard linear time logic without next step. 
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of verification problems for such infinite systems is undecidable, various authors 
developed verification algorithms for special types of infinite systems. 

This paper is concerned with model checking algorithms for communication 
protocols where the (sub-)processes are linked via unbounded FIFO channels. 
Dealing with perfect channels, in which case one gets the same expressiveness 
as Turing Machines, most verification problems are undecidable |BZ83| . Several 
link protocols, like the Alternating Bit Protocol |BSWb9| or HDLC USOVlll . 
are designed to work correctly even for unreliable channels. For such faulty sys- 
tems, various verification problems can be solved automatically. Finkel |Fin Ml 
considered completely specified protocols modelled by channel systems where the 
channels might lose their first message and showed that the termination problem 
is solvable. Abdulla & Jonsson fKmi present algorithms for a reachability anal- 
ysis (see also (SEEnZI) and the verification against (certain types of) safety and 
eventually properties for lossy channel systems (LCSs), i.e. channel systems that 
may lose arbitrary messages. Abdulla & Kindahl [7nrT7T;| have shown that also 
the task of establishing a branching time relation (simulation or bisimulation) 
between a LCS and a finite transition system can be automated. Decidability 
results for other types of unreliable FIFO systems have been developed e.g. by 
Cece, Finkel & Iyer [CFI96| (where channel systems with insertion or duplica- 
tion errors are considered) and Bouajjani & Mayr |BM98j (where lossy vector 
addition systems are investigated). Even if validating faulty channel systems is 
easier than reasoning about perfect channel systems, some verification problems 
are still undecidable for unreliable channel systems. Abdulla & Jonsson f^J^I 
show the undecidability of model checking for LCSs against LTL or CTL specifi- 
cations or establishing “eventually” properties under fairness assumptions about 
the channels fl 

We follow here the approach of Iyer & Narasimha |IN97| and consider proba- 
bilistic LCSs (PLCSs for short). In PLCSs, one assumes that the failure rate of 
the channels is known and deals with a constant p that stands for the probabil- 
ity that one of the channels loses a message. The other transitions are equipped 
with “weights” that yield the probabilities for the possible steps of the global 
states and turn the transition system for the underlying LCS into a (possibly 
infinite) Markov chain. 

For probabilistic systems modelled by Markov chains, various (deductive and 
algorithmic) verification methods have been proposed in the literature, but only 
a minority of them is applicable for PLCSs. Most of the algorithmic methods are 
formulated for finite Markov chains and hence are not applicable for PLCSs, see 
e.g. ivw8biirr^irr!Tninr!?7^iHT<i!^iiTTn^ Even some 

of the axiomatic methods, see e.g. fail for PLCSs since they 

are designed for bounded (or even finite) Markov chains^ 

^ To overcome the limitations of algorithmic verification methods for LCSs due to 
undecidability results, |AH.198| propose (possibly non-terminating) symbolic verifi- 
cation techniques based on a “on the fly” reachability analysis. 

® Boundedness of a Markov chain means that there is an upper bound e > 0 for the 
non-zero transition probabilities. In the Markov chain for a PLCS, the probability 
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In this paper, we shrink our attention to temporal logical specifications; more 
precisely, to specifications given by formulas of propositional linear time temporal 
logic LTL. When interpreting a LTL formula / over the states of a Markov 
chain, the probability for / to hold in a state s, i.e. the probability measure of 
all paths starting in s and satisfying /, can be viewed as the “truth value” for 
/ in state s. Thus, LTL can serve as specification formalism for both qualitative 
and quantitative temporal properties. In the former case, a LTL specification just 
consists of a LTL formula /; satisfaction of / in a state s means that / holds 
for almost all paths starting in s (i.e. with probability 1). Lehmann & Shelah 
present sound and complete axiomatizations for (a logic that subsumes) 
LTL interpreted over Markov chains of arbitrary size; thus, the framework of 
can serve as a proof-theoretic method for verifying qualitative properties 
for PLCSs. Quantitative properties can be expressed by a LTL formula / and a 
lower bound probability p; satisfaction in a state s means that the probability for 
/ is beyond the given lower bound p@ In [TlWTj . an approximative quantitative 
analysis for PLCSs (i.e. an algorithm for approximating the probabilities for a 
LTL\x formula / to hold in the initial state of a PLCS) is proposed. Here, 
LTL\x means LTL without the next step operator X. This method yields a 
model checking procedure for verifying quantitative LTL\x specifications with 
respect to a tolerence e but it fails for qualitative properties (because of the 
tolerance) 0 

The main contribution of this paper is a verification algorithm for establishing 
qualitative properties specified by LTL\x formulas for PLCSs. We use the w- 
automaton approach a la Wolper, Vardi & Sistla |WVS8,3j and construct an 
w-automaton Af for the given formula /. Then, we define the product VC x Af 
of the given PLCS VC and the w-automaton Af (yielding a new PLCS) and a 
formula /' of the form f — \J OD(aj A C>bj) with atomic propositions Oj, bj 
such that the probability for / to hold for VC equals the probability for /' to 
hold for VC x Af. 

For finite Markov chains, it is well-known that whether or not a qualita- 
tive property can be established does not depend on the precise probability but 
just on the topology of the underlying directed graph ms™ . More precisely, 
qualitative properties of the type f — \J OD(aj A 06j) can be established by 
analyzing the bottom strongly connected components. This does not longer hold 
when we deal with infinite (bounded or unbounded) Markov chains. For an ex- 
ample, consider the system of Figure 0 The qualitative property stating that Sq 



for the loss of a concrete message tends to 0 if the channel length tends to oo; thus, 
they fail to be bounded. 

^ In the branching time framework (where one distinguishes between state and path 
formulas), the state formulas typically also assert that the probability for a certain 
event lies in a given interval; thus, the state formulas can be viewed as (special types 
of) quantitative LTL specifications. See e.g. [H,J94]r^SBS951 IBdA95) . 

® The tolerance e specifies how precise the approximated value should be. I.e. the 
difference between the computed value q' and the precise probability q for the formula 
to hold in the initial state of the given PLCS is at most e. 
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Fig. 1. An infinite (bounded) Markov chain 



is visited infinitely many times cannot be established unless p > ^0 To avoid 
a scenario as for the Markov chain in Figure Q] with p < 1/2 where a reacha- 
bility analysis cannot help for establishing qualitative properties, we make an 
additional assumption about the underlying PLCS and require probabilistic in- 
put enabledness. This assumption allows us to reduce the question of whether a 
qualitative property specified by a formula /' as above is satisfied to a reach- 
ability problem in the underlying (non-probabilistic) LCS where the latter is 
solvable with conventional methods lsnn3iEEEnz|. 

The reason why we do not deal with the next step operator will be explained 
in Section 01 Roughly speaking, the lack of next step ensures the invariance of 
the formulas with respect to losing a message. This is essential for characterizing 
the probability for / to hold for a PLCS VC by the probability for the above 
mentioned formula /' in the product system VC x A/. (See Lemma |3) 

Organization of the paper: In Section El we briefly explain our notations 
concerning Markov chains and linear time logic LTL\x with its interpretation 
over Markov chains. The definitions of LCSs and PLCSs and related notations 
are given in Section 0 Our model checking algorithm is presented in Section 0 
Section 0 concludes the paper. 

This paper contents only the proof sketches. In the full paper IfjFP.Hyi the 
complete proofs can be found. 

Throughout the paper, we work with a finite non-empty set AP of atomic 
propositions which we use in the context of labelled Markov chains, LTL\x 
formulas and LCSs. The reader should be familiar with basic notions of prob- 
ability theory, see e.g. |Fel68L IRrefiSj . further on with the main concepts of the 
temporal logic and model checking approach, see e.g. EisHaEminiiiiHEsa, 
and also with the connection between temporal logic and w-automaton, see 
e.g. CmiMI. 

2 Preliminaries: Markov Chains and LTL\x 

In the literature, a wide range of models for probabilistic processes is proposed. 
In this paper, we deal with (discrete time, labelled) Markov chains which is 
one of the basic models for specifying probabilistic systems. We briefly explain 
our notations concerning Markov chains and linear time logic LTL\x with its 
interpretation over Markov chains. 



This observation follows with standard arguments of Markov chain theory ( “random 
walks”). For p < |, the probability to reach so from is p*^/(l — p)*^ < 1. 
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Markov chains: A Markov chain over AP is a tuple M = (S, P, L) where S 
is a set of states, L : S — > 2^^ a labelling function which assigns to each state 
s G S a set of atomic propositions and P : S x S — > [0, 1] a transition probability 
function such that for all s G S: P(s, t) > 0 for at most countably many states 
t G S and X^tes = 1- 

Execution sequences arise by resolving the probabilistic choices. Formally, 
an execution sequence in M is a nonempty (finite or infinite) sequence tt = 
So,Si,S 2 ,... where Si are states and P(si_i,Si) > 0, i = 1,2,.... An infinite 
execution sequence tt is also called a path. We denote by word{Tr) the to tt 
associated sequence of atomic propositions, i.e. word{Tr) = L(sq), L(si), L(s 2 ), . . .. 
The first state of tt is denoted by first{n). 7r(/c) denotes the (fc + l)-th state of 
TT, i.e. if 7T = So,Si,S2, . . . then 7r(fc) = Sfc. i?eac/iivi(s) denotes the set of states 
that are reachable from s, i.e. Reachi/\{s) is the set of states 7r(fc) where tt is a 
path with firstirr) = s. Pathu{s) denotes the set of paths tt with first^ir) = s 
and Pathfin^M{s) denotes the set of finite paths starting in s. For s G S, let 
Aivi(s) be the smallest cr-algebra on Pathw\{s) which contains the basic cylinders 
{tt G Pathuis) : pis a prefix of tt} where p ranges over all finite execution 
sequences starting in s. The probability measure Probu on Am(s) is the unique 
measure with 

Probu { TT G Pathu{s) : p is a prefix of tt } = P(p) 

where P(so,Si, . . . ,Sfe) = P(so,Si) • P(si,S 2 ) • . . . • P(sfe_i,Sfc). If it is clear from 
the context, we omit the subscript M and briefly write Pathis), Reach{s), etc.. 

Linear Time Logic LTL\x- 



f 




fi A /2 






/lAf/2 



LT L\x formulas are build from the above grammar where a is an atomic propo- 
sition (a G AP) and U the temporal operator “until” . As usual, operators for 
modelling “eventually” or “always” can be derived by Of = tt U f and 
□/ = ^O^f. The interpretation of LTL\x formulas over the paths and states 
of a Markov chain is as follows. Let M = (S, P, L) be a Markov chain over AP. 
The satisfaction relation (denoted |=m or briefly |=) for path formulas is as in 
the non-probabilistic case, i.e. it is given by: tt ^ a iff 7r(0) \= a, tt \= fi A f 2 iS 
1= /g * = 1) 2, 7T 1= iff 7T ^ / and tt \=fiUf 2 iff there exists fc > 0 with 
tt\ i\= fi,i = 0,l,...,k-l and tt ^ k \= /2 jj 

For s G S, we define the “truth value” p^(/) (or briefly Ps(/)) as the measure 
of all paths that start in s and satisfy /, i.e. Ps{f) = Prob {tt G Path{s) : tt ^ /}. 
The satisfaction relation for the states (also denoted |=m or is given by s ^ / 

iffps(/) = l. 



3 Probabilistic Lossy Channel Systems 

We recall the definitions of (non-probabilistic and probabilistic) LCSs as in- 
troduced by and |TTW7j . A LCS models the behaviour of a number of 



^ Here, tt k denotes the fc-th suffix of tt, i.e. the path Tr{k), Tr{k - 1 - 1), 7r(fc -|- 2), . . .. 
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processes which communicate over certain unreliable channels. The control part 
of a LCS is specified by a finite state machine with (conditional) action-labelled 
transitions. The transitions can either be labelled by r (which stands for an 
autonomous (internal) move for one of the processes) or by a communication 
action elm (where a process receives message m from channel c) or dm (where 
a process sends message m via channel c) . The global behaviour depends on the 
current control state s and the contents of the channels. While the enabledness 
of the internal actions r and the output actions dm just depends on the control 
state, enabledness of an input action dim requires that m is the first message 
of c and that the current control state s has an outgoing transition labelled by 
elm. 

The effect of an input action elm is that the first message m is removed from 
c while the output action c!m inserts m at the end of c. The internal action r does 
not change the channel contents. Moreover, in each global state, any messages 
in a channel can be lost in which case the control state does not change. 

Definition 1. (cf. [AJ931 ) A Lossy Channel System (LCS) is a tuple C = 
{Scontroi, So, L, Ch,Mess, where 

• S control is u finite set of control states, 

• So € S control is uu initial control state, 

• L is a labelling function, i.e. L : S control — > 2^^ , 

• Ch is a finite set o/ channels, 

• Mess is a finite set o/ messages, 

• ^ ^ C S control ^ Aet X S control 

where SendAet = {dm : e G Ch, m G Mess}, ReeAet = {elm : e G Ch, m G 
Mess} and Aet = SendAet U ReeAet U {t}0 

The (global) behaviour of a LCS can be formalized by an action-labelled 
transition system (which might have infinitely many states). We use the action 
set AcQ = Aet U {£c.i : c G Ch,i = 0, 1,2, . . .} where the auxiliary labels £c.i 
denote that the f-th message of channel c is lost. The global states are pairs 
s = {s,w) consisting of a control state s and an additional component w that 
gives rise about the channel contents. Formally, is a function Ch — > Mess* 
which assigns to each channel c a finite string w.e of messages. We use the symbol 
0 to denote both the empty string and the function that assigns to any channel 
c the empty string. For c G Mess* , c yf 0, first{e) is the first message in c. |c| 
denotes the length of c; i.e. |0| = 0 and \m\ . . .mk\ = k. w[c := x] denotes the 
unique function w' : Ch — > Mess* with w' .e = x and w' .d = w.d for c? yf c. The 
total channel length |?ii| is defined as the sum over the lengths of the contents of 
the vector w, i.e. |w| = X^cgC/i Further on, |s| = |w| and s.c = w.e for the 

global state s = {s,w). The transition system associated with C is 

TS(/1) — {figlobal: L, Sq) 

® The finite representation of a LCS in the sense of Definition Q just specifies the 
control part. Since the loss of messages does not affect the control state, transitions 
obtained by losing a message are not specified by the transition relation 
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where Sgiobai = Scontroi X {Ch — > Mess*), Sq = (sq, 0) is the initial global state 
and L((s,w)) = L(s) for all (s,w) G Sgiobai- Furthermore the transition relation 
— > C Sgiobai X Act^ X Sgiobai is the smallest set such that, for w = toiTO 2 . . . irik'- 

• If s t then (s, w) ~ rn\ . . . mfem]). 

• If s t and k>l then (s, w[c := mm\ . . . nik]) {t, w). 

• If fc > 1 and i G {1, . . . , A:} then (s, w) — ^ {s, w[c := mi . . . nii-imi+i . . . m^]). 

• If s t then (s, w) — (t, w). 

% CK OL 

We write s — > t iff s — ^ t for some c and i and s — > iff s — > t for some global 
state t. We define act{s) to be the set of actions a G Act that are enabled in the 
global state s. Formally, act{s) = {a G Act : s In what follows, we require 
that in all global states at least one action is enabled. This is guaranteed by the 
requirement that, for any control state s, there is some action a G SendActUlr} 
and control state t with s 



Definition 2. (cf. |IN9T| 1 A PLCS is a tuple VC = {C, Pcontroi, p) where C 
is a LCS, p g]0, 1[ the failure probability and 



Pcontroi • ^control ^ Act X S control 



[ 0 , 1 ] 



a function with Pcontroi{s, a,t) > 0 iff s ^ t. 



The Markov chain associated with a PLCS VC = {C, Pcontroi, p) arises by 
augmenting the transitions of the transition system TS(£) with probabilities lij 
In any global state s where |s| yf 0, the probability for losing one of the messages 

(■c i 

is p where all transitions s — ^ t have equal probability. The other transition 
probabilities (for the transitions labelled by actions a G Act) are derived from 
Pcontroi (that assigns “weights” to the transitions) with the help of the normal- 
ization function v : Sgiobai — ^ hR>o which is defined by: 



v{{s,w)) = ^ Pcontrol{s,a) 

CkG act{{s,w) ) 



where Pcontroi (s, a) = J2t Pcontrol{s, a,t) El The conditional probability (un- 
der the assumption that no message will be lost in the next step) for an a- 
labelled transition (s,w) {s',w') is given by the “weight” Pcontroi{s,a,s') 

divided by J^((s, w)). We define the action-labelled transition probability function 

® Note that for any control state s where the system has terminated we may assume 

T 

that there is a r-loop, i.e. s ^ s. 

First, we define the probabilities for the action-labelled transitions. Then, we abstract 
from the action-labels and deal with the probabilities P global (s, t) to move from s to 
t via any action. 

Since we assume that any control state s has at least one transition s ^ t for some 
a G SendActVJ {r}, the normalization factor n{{s,w)) is always > 0. 
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^global • ^global X Act^ X ^global ^ [O 5 1] follows. If CT C Act^ 'w'^ ^ , IV 

|w| yf 0 then 



Pglobal{{s,w),a, {s\w')) 



1 - p 
I^((s,w)) 



Pcontroli^ ^ tti -5 )■ 



For the loss of a message, corresponding to the transition s Vn. we define 

P(//o&aZ (s, t) — 1 ^' 

For the global states with empty channels we put Pgiobai{{s,9),a,{s',w')) = 
Pcontroii.s,a,s')/v{{s,%)). In all remaining cases, we define Pg;o6a/(s, a, t) = 0. 
We define 



P(//o&a/ (s, Cr) — ^ ^ P^/obaZ (s, Ct, t) , P§/o5a/(s, t) — ^ ^ P^/ofea/ (s, CT, t) . 

teSgjobai a^Acti 

The Markov chaiiO associated with VC is VAC{VC) = {Sgiobai,P global, ^,Sq) 
where Pgiobai is viewed as a function Sgiobai x Sgiobai — > [0,1]. Dealing with 
LTL\x Ets formalism for specifying qualitative properties for PLCSs, we deal 
with the satisfaction relation VC |= / iff Sq \^wc(vc) f where Sq = (sq,0) is the 
initial global state of MC{VC). 

4 Model Checking 

In this section, we describe a LTL\x model checking procedure for PLCSs. More 
precisely, the input of our algorithm is a PLCS VC and a LTL\x formula /; 
the output is “yes” or “no” depending on whether or not VC \= f. The basic 
idea of our method is the reduction of the LT L\x model checking problem to a 
reachability problem in a (non-probabilistic) LCS where the latter can be solved 
with the methods proposed in or !AKP97| . 

Before we explain how our algorithm works we briefly sketch the algorith- 
mic methods that have been developed for verifying finite probabilistic systems 
against LTL formulas. 

Courcoubetis & Yannakakis jCY88j deal with finite Markov chains and 
present an algorithm that is based on a recursive procedure that successively re- 
moves the temporal modalities from the formula (i.e. replaces each subformula g 
whose outermost operator is a temporal operator, e.g. U, by a new atomic propo- 
sition Gg) where at the same time each state s of the underlying Markov chain M 
is splitted into the two states (s, Og) and (s, ^Og). The transition probabilities in 
the new Markov chain Mg are computed with the help of the probabilities Ps{g) 

Note that |s| 7 ^ 0 because we cannot lose a message from the empty channel. 

To be precisely, we deal with a pointed Markov chain by which we mean a Markov 
chain that is endowed with an initial state. For simplicity, we briefly refer to “pointed 
Markov chains” as “Markov chains” . 
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for the path formula g. This method is very tricky and elegant for finite Markov 
chains but it seems to be not adequate for infinite systems (like PLCSs) since it 
would require the computation of infinitely many transition probabilities. 

An alternative method is based on the w-automaton approach proposed by 
Vardi & Wolper fVarSFil IVW 86 | . This approach has been used later by several 
other authors, see e.g. |CY95I ItnMI IRK98j . The basic idea behind the 

w-automata theoretic approach can be sketched as follows. The starting point is 
a probabilistic system S, e.g. described by a Markov chain or Markov decision 
process, and a linear time formula /. Using well-known methods, one constructs 
an w-automaton Af for the formula / and defines a new probabilistic system 
iS X A/ by taking the “product” S x Af of S and Af. From the acceptance 
condition of Af, a set V of states in 5 x M/ can be derived such that the 
probability that / holds in a state s agrees with the probability for a certain 
state s' in 5 X M/ to reach a state in V . 

Similar ideas are used in the tableau-based method of Pnueli & Zuck 
where the “product” of the probabilistic system and the “tableau” for / (ob- 
tained from the Fischer-Ladner closure of /) is analyzed. 

In this paper, we follow the approachs of ITWrlinT:^ and use a determin- 
istic Rabin automaton to get an alternative characterization of the probability 
that a LTL\x formula / holds in a global state Q 

We recall the basic definitions and explain our notations. A deterministic 
Rabin automaton M is a tuple (Q, qo, Alph, 5, AccCond) where 

• Q is a non-empty finite set of states, 

• 9 o G Q is the initial state, 

• Alph is a finite alphabet, 

• S : Q X Alph — > Q is the transition function, 

• AccCond is the acceptance condition, i.e. AccCond C 2*^ x 2 Q 

An infinite sequence p = po,pi,p 2 , ■ ■ ■ G is said to satisfy the acceptance 
condition of the automaton A (denoted p \= AccCond) iff there exists (A,B) G 
AccCond such that inf{p) C A and m/(p) n R yf 0. Here, inf{p) denotes the 
set of automaton states that occur infinitely often in p. 

A run r of A over an infinite word 09 , 01 , 02 ,... G Alph‘^ is a sequence 
r = 9 o, 9 i, 92 , ■ ■ • G (starting in the initial state go of A) with qi+i = 5{qi,ai) 
for all f > 0. A run r of A is called accepting iff r |= AccCond. A word a = 
oq, oi, 02 . . . G Alph'^ is called accepted iff there is an accepting run r over a. Let 
AccW ords{A) denote the set of accepting words. 

It is well-known |WVS8;illRa!^IVWh'^ that, for any LTL formula / (in par- 
ticular, for any LTL\x formula) with atomic propositions in AP, a deterministic 
Rabin automaton Af with the alphabet Alph = 2^^ can be constructed such 
that AccWords{Af) is exactly the set of infinite words a = oq, oi, . . . over 2^^ 

deal with finite probabilistic systems with non-determinism, i.e. 

Markov Decision Processes rather than Markov chains. It is still open whether or 

not a non- deterministic w-automaton would still be sufficient for our purposes as it 

is the case for finite Markov chains ininsiEnsi- 
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where / is true0 The product M x Af of a Markov chain M = (S, P, L) and the 
automaton -4/ is defined as follows. 



MxAf = (S X Q,P',L') 



where L'((s,( 7 )) = L(s) and 



P'((s,g), (t,p)) 



P(s,t) if p = (5(g, L(t)) 
0 otherwise. 



Let AccCond = {{Aj,Bj) : j = l,...,fc} be the acceptance condition of Af. 
Hence we define = S x Aj, = S x Bj. Let be the smallest set such that 
V- C and ReachuxAfiv') C H/, ReachMxAj{v') n ^ 0 for all v' G 
Let V' = V{ Li ... Li V^. As in |dA97irBKh8] it can be shown that 

(*) Pro6M{7T G Pat/iM(s) : 7T 1= /} = ProbMxAj{Tr £ PathMxAf{s') ■ \= OV'}. 

for all states s G S. Here, s' denotes the state {s,6{qo, L(s))) and tt ^ <>V is an 
abbreviation of “tt will eventually reach a state of M'”. Thus, the test whether 
Ps{f) = 1 can be done by first computing Af and then performing a probabilistic 
reachability analysis in the product M x A/ to check whether 
(**) ProhMxAiiT^ ^ PathuxAfi^') ■ tt ^ OP'} = 1. 

For finite Markov chains, the latter (the test of (**)) can be done with non- 
probabilistic (graph theoretical) methodsO In our case, where we deal with 
infinite Markov chains obtained by a PLCS (i.e. Markov chains of the form M = 
MC(7^£)), condition (*) still holds but it is not clear (at least not for the authors) 
how to test condition (**). The problem is that the reachability algorithm of 
fA.lfl,3| (or |A K PhTj ) cannot be applied since the underlying transition system of 
the so obtained Markov chain MC(7^£) x Af might not be the transition system 
of a LCS (see Remark For this reason, we do not deal with the product 
MC{V£) X Af but switch to the product of the PLCS V£ and the automaton Af 
(which yields a new PLCS V£ x A f) and then show how to apply conventional 
methods for a reachability analysis in the LCS £ x Af to reason about the 
probabilities in MC{V£ x Af). 



4.1 The Product of a PLCS and an u;- Automaton 

In the sequel, let V£ be a PLCS and A a deterministic Rabin automaton with 
the alphabet 2^^ where the components of V£ and A are as before; i.e. V£ = 
{£t P control, p) and A = {Q, qo, 2^^ ,S, -AccCond) where £ is as in Definition ^ 
and AccCond = {{Aj^Bj) : j = 1, . . . , k}. 

Here, satisfaction of LT L formulas interpreted over infinite words over 2'^^ is defined 
in the obvious way. 

The existence of such a set V)' can be shown with the help of Tarski’s fixed point 
theorem for monotonic set-valued operators. 

One just has to check whether all states reachable from the state s' via an execution 
sequence that does not pass V can reach a F'-state. 
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Definition 3. VC x A denotes the PLCS {C x A, Pa, p) where 
C y. A — {S control y Q, {^0, Po} , Ca, Ch^ Mess<f 
withpo = 6{qo,L{so)), L^((s,g)) = L(s) and 

{s,q)^A{t,p) iff s ^ t and p = S{q,L{t)) 
and, if {s,q) {t,p) then P^((s, g), a, (t,p)) = 

P control {s,a,t). 

We use the notation {s,w,q) G Scontroi x {Ch — > Mess*) x Q rather than 
{{s,q),w) for the global states in MC(VC x A). 

Remark 1. The Markov chain MC('P£ x A) induced by VC x A differs from the 
product MC{VC) x A. We assume that q yf q' . We regard the loss of messages 
in both constructions. Let q' = 6{q,L{s)) and w : Ch — > Mess* such that 
w.c = mi . . . mi-imiiTii+i . . . mu and w' = w[c := mi . . . mt-imi+i . . . mu]- In 
MQ.(VC) X A, the state {s,w,q) can move to {s,w',q') (via the action ic,i), but 

possibly not to the state {s,w',q). In MC{VC x A), we have 

i 

(s,w,q) ^A (s,w',q) . 

Thus, P'{{s,w,q),{s,w',q)) = 0 < P giobai{{s,w,q), {s,w' ,q)) is possibleE^ 

This signifies that it is possible that the underlying graph of the Markov chain 
MC{VC) X A cannot be obtained by the transition system of a LCS. ■ 

We now assume that A = Af is a, deterministic automaton for a LTL\x 
formula /. Recall that p^{f) denotes Probu {tt G Pathu{s) : tt |=m /}. 

Lemma 1. Let s be a global state in VC and s' = {s,S(qo, L(s))). Then, 

Proof. Easy verification. ■ 

For the construction M x M/, the projection of a path tt in M x M/ to the 
automaton states yields a run in A f which is accepting iff tt \= f. Unfortunately, 
the projection of the paths in MC{VC x Af) to the automaton states does not 
yield a run in A f since the loss of a message (more precisely, a step of the form 
i 

{s,w,q) — !• {s,w',q) where 6{q,L{s)) ^ q) does not correspond to a transition 
in Af. However, the loss of a message does not affect the control and automaton 
state and hence can be viewed as a stutter step. Since we do not deal with the 
next step operator and since the atomic propositions only depend on the control 
components (but not on the channel contents), the formula / is insensitive with 
respect to such stutter steps |H(Xf88| . Thus, tt |= / iff r is accepting where r 
is the run induced by the sequence of automaton states that results from tt by 
removing all stutter steps. 

Let = Scontroi y Aj , B'j = Scontroi X Bj . In the sequel, we treat as 

atomic propositions with the obvious meaning; e.g. G La{{s, q)) if (s, q) G . 



18 



Note that the control state (which consists in £ x Gl of a control state in C and an 
automaton state) does not change if a message is lost. 
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Lemma 2. For any path tt in MC{VC x -4/).' 

l<j<k 

Proof. (Sketch) We denote by =st the stuttering eq uivalence relation for infinite 
sequences xq,Xi,X 2 , ■ ■ ■ over an arbitrary set Let a = ao, oi, . . . and a' = 
aQ,a[, . . . be infinite sequences over 2^^ . Since / is invariant under stutter steps 
we get: 

(1) If a =st a' then a |= / iff a' [= /. 

If p = po,pi, ■ ■ . and p' = Po,pi, . . . are infinite sequences over Q then: 

(2) If p =st p^ then p |= AccCond iff p' |= AccCond. 

Let 7T be a path in MC{VL x Af) and 7r(i) = (si,Wi,pi). For any i, we choose 
some tti G Act U {£} such that 7r(i) 7r(i + 1). Clearly, there are infinitely 
many indices i with ^ Let (sq, Wq,Pq), {s{, w{, p[) , ... be the sequence that 
results from tt by removing the i-th tuple 7 t(z) = (si,Wi,pi) if Oj = i. Let 
a = L{so), L{si), a' = L{sq),L{s[), p = po,Pi, • ■ • , p' = Po,p[, ■ ■ ■■ 
We have {si,pi) = (si+i,pi+i) for all indices i with ai = i. Thus, a =st a' and 
p =st p'. By definition of VF x Af, we have = (5(p(, L(s'_|_i)), z = 0, 1, 2, — 
Thus, p' is a run over a'. Hence, 

a' ^ / iff a' G AccWords(Af) iff p' ^ AccCond. 

By (1) and (2) tt ^ / iff a |= / iff a' ^ / iff p' ^ AccCond iff p ^ AccCond. 
Clearly, p \= AccCond is an equivalent formulation for tt |= \/j 0D(H' A 



4.2 Probabilistic Input Enabledness 

Because of Lemma ^ and Lemma |21 we can shrink our attention to formulas of 
the form \f On[aj A Obj) where Oj, bj are atomic propositions. We aim at a 
condition that allows to establish qualitative properties specified by formulas 
of this type by analyzing the graph of the underlying LCS. For this, we need a 
condition that allows us to abstract from the concrete transition probabilities. In 
contrast to the finite-state case, for infinite Markov chains, the precise transition 
probabilities might be essential for establishing qualitative properties. 

Example 1. The Markov chain of Figure Q can be viewed as the Markov chain 
associated with a PLCS consisting of a single control state s, one channel c, one 
message m, the transition s "A s and the failure probability p = p. Then, the 
state Sfc of Figure n represents the global state (s, in which the total channel 
length is k. The qualitative property stating that the initial global state Sq is 
visited infinitely often holds for p > 1/2 but not for p < 1/2. ■ 

The problem in the above example is that, for p < 1/2, with non-zero prob- 
ability, the channels grow in an “uncontrolled” way. To prevent such situations, 

I.e. =st is the smallest equivalence relation on which identifies all sequences 

xo, xi,... ,Xi-i,Xi,Xi+i, . . . and xo,xi, . . ., Xi-i,Xi+i, . . . where Xi = Xi+\. 
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we shrink our attention to probabilistic input enabled PLCSs. Probabilistic input 
enabledness is a condition which ensures that with probability at least 1/2 any 
global state s moves within one step to a global state t where |t| = |s| — 1 and 
which guarantees that almost all executions visit infinitely many global states 
where all channels are empty (see LemmaEI)- In particular, it ensures that with 
probability 1 any message m received in a certain channel c will either be lost 
or will be consumed by a process (via the action dm). 

The formal definition of probabilistic input enabledness can be viewed as 
a probabilistic “variant” of the standard notion of input enabledness for I/O- 
automata, see [LT871 |Cyn95| . In fact we work with a slightly different meaning of 
input enabledness. For I/O-automata, communication works synchronously and 
input enabledness guarantees that the output of messages cannot be blocked. 
This effect is already obtained for systems where the communication works asyn- 
chronously (as for LCSs). Our notion of input enabledness can be viewed as a 
condition that asserts some kind of “channel fairness” as it rules out the patho- 
logical case where a certain message m (produced and send by a process via the 
action c!m) is totally ignored (i.e. never lost nor consumed via the action dm). 
We adapt the notion of input enabledness for I/O-automata (which asserts that 
in any (global) state all input actions are enabled) for PLCSs in such a way that, 
for any global state s where |s| > 1 , the probability for any input action dm is 
“sufficiently” large. 

Definition 4. A PLCS VC is called probabilistic input enabled iff for all s G 
S control and all c G Ch, m G Mess: 

Vcontroli^ : dm) ^ (I 2p) E P control (s,a) 

\^ctG SendActU{r} 

It should be noticed that any PLCS with failure probability p > 1/2 is 
probabilistic input enabled. Clearly, with VC, also the product VC x ^ is prob- 
abilistic input enabled. In the sequel, we assume that VC = {C, Pcontroi, p) is a 
probabilistic input enabled PLCS where C is as in Definition [U 

Let $0 = {s G Sgiobai ■ |s| = 0} be the set of all global states where all 
channels are empty. We write tt ^ nOS 0 to denote that tt passes infinitely many 
global states in S 0 , i.e. |7r(i)| = 0 for infinitely many indices i. 

Lemma 3. For all global states s; 

'y ^ 1^5/060/(2,1) ^ 2 ’ 

|t| = |s|-l 

and Prob{7T G Path{s) : tt |= □OS 0 } = 1. 

Proof. (Sketch) The first part is an easy verification. For the second part it 
suffices to show that p{s) = 1 for all global states s where p{s) = Prob{Tr G 
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Path{s) : TT 1= OS0}. We put p{k) = min{ p{s) : s G Sgiotai, |s| < k}. Then, 
1 = p(0) > p{l) > — Let s G Sgiobai, |s| = k where A: > 1. Then, 

p{s) = E P global (s, t) • p(t) + E P global (s, t) ■ p(t) 

|t|G{fe,fe+l} |t|=fe— 1 

> Pglobal{s,t) -p{k+l) + ^ Pgiobal{s,t) ■ p{k - 1) 

|t|G{fe,fe+l} |t|=fe-l 

> (1 — Q{k, k — 1)) ■ p{k + 1) + Q{k, k — 1) ■ p{k — 1) , 

where Q{k,k- 1) = min{Pg;oba/(s, t) : s,t G Sgiobai, |s| = |t| + 1 < k}. By 
Lemma 0 we get Q{k,k — 1) > Let p = mfk>i Q{k,k — 1). Then, p{k) > 
(1 — p) ■ p{k + 1) + p ■ p{k — 1). This yields a similar situation as in Figure 
n where p{k) can be viewed as the probability to reach Sq from Sk, and (since 
P > 5) we get p{k) = 1 for all fc > 1. ■ 

We now show how, for probabilistic input enabled PLCSs, qualitative prop- 
erties specified by a formula /' = V ^Ll(aj A Obj) can be established by proving 
a qualitative eventually property OU where C7 is a finite set of control states. 
For showing that PsiOU) = 1, we use a reachability analysis in the underlying 
(non-probabilistic) LCSo More precisely, the set U is defined by means of the 
bottom strongly connected eomponents (BSCCs for short) of the directed graph 
GfD{£) whose nodes represent the global states (s,0) and whose edges represent 
the reachability relation between them. The condition ps{'0'U) = 1 can shown to 
be equivalent to Ps{OU) = 0 where U characterizes all global states (s,0) that 
belong to a BSCC of Gi^{C) and that are not contained in U . To check whether 
Ps{OU) = 0, it suffices to show that the global state s cannot reach a global state 
{u, 0) where u G U. 

Definition 5. Let C be a LCS as in Definition^ We define 

G^{£) — {S control 

where the relation G Scontroi x Scontroi is given by s '^c t iff the global 
state {t,%) is reachable from the global state (s,0) in TS(£). 

If {7 C Scontroi then we write s '^c iff s '^c u for some u G U. s 'p>c U 
denotes that there is no u G U with s u. 

Let Uj , bj G AP and Aj = (s G Scontroi ■ Vyj G L(s)}, Bj = {s G Scontroi • 
bj G L{s)}. Let Uj be the union of all BSCCs G of G<i,{C) such that G C Aj 
and C n Bj yf 0, j = 1, . . . , fc, and U = C/i U . . . U Uk', consequently U is the 
union of all BSCCs G of Gij^{C) such that, for all j G {!,..., k}, either G % Aj 
or Cn Bj = 0. 



20 



We write Psff>U) to denote the probability for the global state s to reach a global 
state of the form (u, w) for some u G U. 
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Lemma 4. For all control states s: 

Prob < 7T e Pat/i((s, 0)) : 7T 1= \J 00(aj A Obj) 

[ i<i<fe 

Proof. (Sketch) Let Uj be the union of all BSCCs C of G (/){£) such that C C Aj 
and C n 7 ^ 0, j = 1, . . . , fc, and U = U\U . . .U Uk- For any global state s, we 
define i7sscc(s) to be the set of paths tt G Path{s) such that, for some BSCC 
C, all global states (t,0), t € C, are visited infinitely often. Using LemmaEl one 
can show that 

(1) Prob{ nBSCcis) ) = 1 (2) ps{OU) + Ps{OU) = 1 

for all global states s. It is easy to see that tt \= On[aj A Obj) iff tt |= OUj for 
any path tt G Lfsscc(s). By (1) and (2), we get: 

= Ps{OU) = l-ps{OU). 

Hence, Ps ^Vi<j<fc A = 1 iff p^(^OU) = 0. Since any global state 

{u,w) can reach the state (m, 0) (via losing all messages), we have Ps{OU) = 0 
iff s cannot reach a global state of the form (u, 0) where u G U. M 

4.3 The Model Checking Algorithm 

Combining Lemma mm and 0 we get the following theorem which builds the 
basis of our model checking algorithm. 

Theorem 1. Let PC = {C , Pcontroi , p) be a probabilistic input enabled PLCS 
where C is as in DefinitionUi f a CTL\x formula and Af a deterministic Rabin 
automaton for f . Let U be the union of all BSCCs C of the directed graph 
Gijj{C X Af) such that, for all j G {!,..., k}, either C % A' or C C = 0. 
Then, 

VC^f iff s' U' ■ 

Here, Sq = (sq, S{qo, L{sq))) denotes the initial control state of Lx Af and A' , S' 
are as in Lemmo[B 

With all the above preliminaries, we are now able to formulate our model 
checking algorithm, (see Figure EJ. The input is a probabilistic input enabled 
PLCS VC and a LTL\x formula /. First, we construct a deterministic Rabin 
automaton Af for / and the LCS C x Af. Then, we compute the reachability 
relation '^cxAf for the LCS C x Af which yields the graph Gih{C x Af). For 
this, we may apply the methods of |A,IH3| (or fAKP97| L 

Using standard methods of graph theory, we calculate the BSCCs of the 
graph Gifi(C x Af) and obtain the set U (defined as in Theorem 0. Finally, we 
check whether the initial control state Sg of £ x A/ can reach a node of U with 
respect to the edge relation '^cxAf 



= 1 iff sqUcU. 
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Input: a probabilistic input enabled PLCS VL = (£, Pcontroi, p) and a LTL\x 
formula / 

Output: if VC 1= / then yes else no 
Method: 

1. Compute the deterministic Rabin automaton Af for the formula /. 

2. Compute the LCS C x A/ . 

3. Compute the reachability relation '^cxAj (which yields the graph 
G^iCxAf)). 

4. Compute the set U (defined as in Theorem Q) by means of the BSCCs 
in G0(£ X Af). 

5. If Sq '/*cxAf U then return yes else return no. 



Fig. 2. The LTL\x model checking algorithm 



5 Conclusion and Future Work 

We have shown that, for probabilistic input enabled PLCSs, model checking 
against qualitative LTL\x specifications is decidable. This should be contrasted 
with the undecidability of LTL model checking for (non-probabilistic) LCSs 
(sin30 Thus, adding appropriate transition probabilities to a LCS, can be 
viewed as a technique to overcome the limitations of algorithmic verification 
that are due to undecidability results. 

Whether or not the probabilistic input enabledness is a necessary condition is 
still open. The correctness of our method is based on the observation that, with 
probability 1, a BSCC C of the graph G(d{C) is reached and that all states of C 
are visited infinitely often. This property holds for probabilistic input enabled 
systems (see Lemma 0) but is wrong for general PLCSs (see Example Pi. 

In this paper, we used the interpretation of a PLCS by a (sequential) Markov 
chain as proposed in inwTi . This model is adequate e.g. if the underlying parallel 
composition for the processes that communicate via the channels is a probabilis- 
tic shuflle operator in the style of [HHS92] . This kind of parallel composition 
assumes a scheduler that decides randomly (according to the “weights” spec- 
ified by the function Pcontroi) which of the processes performs the next step. 
Alternatively, the global behaviour of a PLCS could be described by a model for 
probabilistic systems with non-determinism (such as concurrent Markov chains 
|Va,r85j or the more general models of [BdA95l |Seg951 lBE98j l. where the non- 
determinism can be used to describe the interleaving behaviour of the commu- 
nicating processes. 

Note that in the probabilistic setting, a linear time formula / is viewed to hold in a 
state s iff / holds on almost all paths starting in s (but / might be wrong on some 
paths) while, in the non-probabilistic case, / is viewed to be correct for a state s iff 
/ holds on all paths starting in s. 
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Unfortunately, we cannot report on experimental results. The implementa- 
tion of our algorithm (combined with the methods of imi or EEEnZl) , case 
studies and a complexity analysis will be future topics. Moreover, we intend to 
investigate how our algorithm can be modified for probabilistic systems with 
non-determinism and an interpretation of LTL\x formulas over PLCSs that in- 
volve (process) fairness, i.e. an interpretation in the style VC ^ / iff / holds with 
probability 1 for any fair scheduler. Another future direction is to study a CTL*- 
like temporal logic that combines LT L\x and the branching time logic of IhLSHtil 
where state formulas of the form V/ (asserting that / holds with probability 1) 
are considered. 
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Abstract. The model of probabilistic I/O automata of Segala and Lynch 
is used for the formal specification and analysis of the root contention 
protocol from the physical layer of the IEEE 1394 (“FireWire”) standard. 
In our model of the protocol both randomization and real-time play an 
essential role. In order to make our verification easier to understand we 
introduce several intermediate automata in between the implementation 
and the specification automaton. This allows us to use very simple no- 
tions of refinement rather than the more general but also very complex 
simulation relations which have been proposed by Segala and Lynch. 



1 Introduction 

Recently, the analysis of probabilistic, distributed algorithms and protocols has 
gained new attention. Various methods and formalisms have been extended with 
probabilities, and several case studies have been carried out using these for- 
malisms, c.f. |TH ITT] . 

This report verifies a small sub-protocol of IEEE 1394, called root contention. 
The IEEE 1394 high performance serial bus has been developed for interconnect- 
ing computer and consumer equipment such as multimedia PCs, digital cam- 
eras, VCRs, and CD players. The bus is “hot-pluggable”, i.e. equipment can 
be added and removed at any time, and allows quick, reliable and inexpensive 
high-bandwidth transfer of digitized video and audio. Although originally devel- 
oped by Apple (FireWire), the version documented in [HJ has been accepted as 
a standard by IEEE in 1996. More than seventy companies — including Sun, 
Microsoft, Lucent Technologies, Philips, IBM, and Adaptec — have joined in 
the development of the IEEE 1394 bus, and related consumer electronics and 
software. Hence there is a good chance that IEEE 1394 will become the future 
standard for connecting digital multimedia equipment. Various parts of IEEE 
have been specified and/or verified formally, see for instance jSl How- 

ever, as far as we know, root contention has not. 

Root contention in IEEE 1394 is a simple but realistic protocol that involves 
both real-time and randomization. The verification in this report is carried out 
in the probabilistic automaton model of Segala and Lynch UEl^. Following the 
tradition, the correctness of the protocol is proven by establishing a probabilistic 
simulation between the implementation and the specification, both probabilistic 
automata. 



J.-P. Katoen (Ed.): ARTS’99, LNCS 1601, pp. 53-0 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 
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The probabilistic simulation relations from m E3 are rather complex. In 
order to simplify the simulation proofs, this report introduces the notions of 
probabilistic step refinement and of probabilistic hyperstep refinement. These 
are special case of the simulations in Hlil]|. 

The strategy followed in the simulation proof is the following. Given the 
protocol automaton Impl and the abstract specification Spec, we define three 
intermediate automata II, 12, and 13. First, II abstracts from the message 
passing in Impl but keeps the same probabilistic choices and most of the timing 
information. Next, 12 abstracts from all the timing information in Impl, and 13 
abstracts from the probabilistic choice in 13. The introduction of the intermedi- 
ate automata allows us to separate our concerns. The simulation between Impl 
and II is easy from probabilistic point of view and its proof mainly involves 
traditional, non-probabilistic techniques like proving invariants. The remaining 
simulations between automata 12, 13 and Spec deal with probabilistic choice, 
but since these automata are small this is not so difficult anymore. 

This paper is organized as follows. After some mathematical preliminaries 
in Section 0 Section 0 introduces the probabilistic automaton model. Section 
El describes the root contention protocol, both informally and formally. Then 
Section 0 defines the intermediate automata and established the simulation re- 
lations. Finally, Section 0 presents the conclusions and some topics for future 
research. 

2 Probability Distributions 

This section recalls a few basic notions from probability theory and introduces 
some notation. 

Definition 1. Let X be an index set and let Xi S [0, oo] for all i € X. Define 
by 

1 - = O 

+Xi^+Xi^^ h a;i„, t/T = {fy,fy,i3, ■ ■ ■ ,fy} is a finite set 

with n > 0 elements 

3. I finite}, ifX is infinite. 

Here sup A denotes the supremum of X. Notice that X)ign because 

the summation order is irrelevant, due to the fact that Xi > 0. 

Definition 2. A probability distribution over set X is a funetion /r : A ^ [0, 1] 
such that ~ write support{fx) = {x G X \ p{x) > 0}. It 

follows from the definitions that this is a countable set. We denote the set of all 
probability distributions over X by 7T(A). 

We denote a probability distribution ^ on a countable domain by enumerating 
it as a set of pairs. So, if Dom(p.) = {xi,X 2 . . .} then denote p, by {x\ i-^- 
f{xi),X 2 > f(x 2 ) . . . }. If the domain of p is known, then we often leave out 
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elements of probability zero. For instance, the probability distribution assigning 
probability one to an element x S X is denoted by {x i— > 1}, irrespective of X. 
Such distribution is called the Dirac distribution over x. The uniform distribution 
over a finite set with n > 0 elements, say {xi,... ,Xn}, is given by {x\ i— > 
“ , . . . , I — ^ f . 

n ’ ? ft ni 

Definition 3. Let X and Y be sets, /r G n{X) and v G n{Y). The product 
of and V, notation x u, is the probability distribution k : X x T — > [0, 1] 
satisfying n{x,y) = p.{x) ■ v{y). 

Definition 4. Let X and Y be sets, pL G n{X) and f : X ^ Y. The image of 
pt under f, notation fit{p), is the probability distribution v G LL{Y) satisfying 

^(y) = 

3 Probabilistic Automata 

This section presents the model of probabilistic automata and two extensions, 
probabilistic I/O automata and timed probabilistic I/O automata. We assume 
that the reader is familiar with non-probabilistic (timed) automata and their 
simulation relations, see e.g. j 1 31 1 1 for an introduction and for the notations 
used in this paper. 

3.1 The Basic Model 

This section recalls the basic probabilistic automaton model from H3EDI, and 
introduces the notions of probabilistic step refinement and probabilistic hyper- 
step refinement. 

Definition 5. A probabilistic automaton A consists of four components: 

1. A set states A o/ states. 

2. A nonempty set start aQ states a o/ start states. 

3. An action signature sigA = {extA,intA), consisting o/ external and internal 
actions respectively; we define the set o/ actions as aetA = ext a U intA- 

4- A transition relation transAff states a x actA x II(statesA)- 

We write s -^a T for (s, a, /i) G transA, and s -^a s' for s -^a {s^ ^ !}• 

Sometimes, a more general definition of probabilistic automata is given where 
transA'if states A x LI {actA x states a)- In this context the probabilistic automata 
from the definition are called simple probabilistic automata. 

Definition 6. Let A be a probabilistic automaton. The automaton A~ , the non- 
probabilistic variant of A, which behaves like A but discards all probabilistic 
information, is defined by: 

1. states A- = states A- 

2. start A- = start A- 
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3. sigA- = sigA- 

4- transA- = {(s, a, s') | 3/i : s — >a M A > 0}. 

Define reachA, the set o/ reachable states of A, to be the set of reachable states 
of A~. 

An execution (execution fragment, trace) of a probabilistic automaton A is 
an execution (execution fragment, trace) of A~ . The set of executions (execu- 
tion fragments, traces) and finite executions (execution fragments, traces) of 
A are respectively denoted by execs (A) {frags (A), traces (A)) and by execs*{A) 
{frags* {A), traces* {A)). 

Definition 7. If A is a probabilistic automaton and XCextA, then hide{A, X) 
is the probabilistic automaton {statesA, startA, {ext a \ X, Ma U X) , transA)- 

Definition 8. We say that two probabilistic automata A\ and A 2 are compatible 
if Ma, n actAg = actA, H Mas = 0- If A\ and A 2 are compatible then their 
parallel composition, notation A\ || A 2 , is the probabilistic automaton A defined 
by: 

— states A = statesA, x states Ag ■ 

— startA = startA, x start Ag ■ 

— sigA = {extA, U extAg, Ma, U intAg)- 

— transA is the set of triples ((si, S2), a, x ^,2) such that for i = 1,2, if 
a G actAi then {si,a,yii) G transA,, otherwise yii = {si 1}. 

Informally, within a composition two probabilistic automata synchronize on their 
common actions and evolve independently on others. Whenever synchronization 
occurs, the state reached is obtained by choosing a state independently for both 
automata. 



Probabilistic Step Refinements The simplest form of simulations between 
probabilistic automata that we consider are the probabilistic step refinements. 
These are mappings from the states of one automaton to the states of another 
automaton that preserve initial states and probabilistic transitions. 

Definition 9. Let A and B be two probabilistic automata with extA = exts- A 
probabilistic step refinement from A to B is a function r : states a states b 

such that: 

1. for all s G startA, r{s) G starts! 

2. for all steps s -^a M with s G reachA, one of the following conditions holds: 

(a) r{s) r*(^), or 

(b) a G Ma A r(s) — >b for some b G Mb, or 

(c) a G Ma a r*(/r) = {r{s) ^ 1}. 

We write A Epsr B if there is a probabilistic step refinement from A to B. Note 
that condition 2(c) is equivalent to a G Ma A Vs'[/i(s') > 0 i~{s') = ^(s)]- 
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Probabilistic Hyperstep Refinements Probabilistic hyperstep refinements 
generalize the probabilistic step refinements introduced above. They are a special 
case of the probabilistic forward simulations of Segala and Lynch HHIEOI. 

Definition 10. Let X,Y be sets and R C X x II (Y). The lifting of R is the 
relation C n{X)xII(Y) given by: {yi, v) G i?** if and only if there is a choice 
function r : support(yi) n{X) for R, i.e., a function such that (x,r(x)) G R 
for all X G support (fi), satisfying 

v{y)= X! T(a:)(t/). 

aiGsupp(/j.) 

The idea is that we obtain v by choosing the probability distribution r{x) with 
probability n{x). 



Example 1. Given a probabilistic automaton A and an action a G act a, we 
can lift the relation over statesA x II{statesA) to the relation over 

n{statesA) X n{statesA)- For instance, if si p,i, S2 ti2 and si s^, then 

r 1 2 1 “ 1 I 2 

{si 3, S 2 ^ 3I 3 • Ml + 3 • /T 2 . 

Intuitively, if si mij S2 P-2 and the probability to be in si is ^ and to be 
in S2 is |, then we choose the next state according to /ii with probability ^ and 
according to M2 with probability If there is another a-transition, say S2 v, 
then we can also choose the next state according to mi with probability ^ and 
according to v with probability Hence 

r 1 2 1 “ 1 I 2 

{Sl 3, S 2 ^ 3I 3 • Ml + 3 ■ 



We do not have 



{Sl 1-^ S2 1-^ §} \ - pi + \- P2 + \-v. 



Definition 11. Let A and B be probabilistic automaton with extA 
probabilistic hyperstep refinement from A to B is a function h : 

LI {states b) such that: 

1 . for all s G startA, h{s) = {s' 1— > 1 } for some s' G starts; 

2 . for all steps s -^a M with s G reachA, one of the following conditions holds: 

(a) h{s) K*{p), or 

(b) a G Ma a h{s) -^b** /i**(m); for some b G Mb, or 

(c) a G Ma a h{s) = /i**(m). 

Write A Ephsr if there is a probabilistic hyperstep refinement from A to B. 



= exts- A 
statesA — ^ 
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Segala m describes the behavior of probabilistic automata in terms of trace 
distributions, and proposes inclusion of trace distributions, notation Ctd, as an 
implementation relation between probabilistic automata that preserves safety 
properties. The following theorem states that probabilistic (hyper-)step refine- 
ments are a sound proof method for establishing trace distribution inclusion. 

Theorem 1. Let A and B be probabilistic automata with ext a = exts- 

1- If ^ Epsr B then A Ephsr- 
If A Ephsr then A Ctd B. 

Proof. For (1), suppose that A Epsr B. Then there exists a probabilistic step 
refinement r from A to B. Let R : states a II{statesB) be given by R{s) = 
{r(s) 1 -^ 1}. It is routine to check that i? is a probabilistic hyperstep refinement 
from A to B. Use that 



Cl f ^ G 

s -Tb p {s 1} — V. 



Hence A Ephsr- 

For (2), suppose that A Ephsr- Then there exists a probabilistic hyperstep 
refinement R from A to B. We claim that i? is a probabilistic forward simulation 
in the sense of O0| • Now A Cxd B follows from the soundness result for 
probabilistic forward simulations, see Proposition 8.7.1 in m- For a simple, 
direct proof of (2) we refer to ■ 

3.2 Probabilistic I/O Automata 

This section defines the probabilistic I/O automaton model, an extension of 
probabilistic automata with a distinction between input and output actions, 
and with a notion of fair behavior. 

Definition 12. A probabilistic I/O automaton A is a probabilistic automaton 
enriched with 

1. a partition of ext a into input actions in a and output actions out a, and 

2. a task partition tasks a, which is an equivalence relation over out a U Ma 
with countably many equivalence classes. 

We require that A is input enabled, which means that for all s G states a and all 
a G in A, there is a p, such that s —*a M- 

As probabilistic I/O automata are enriched probabilistic automata, we can 
use the notions of nonprobabilistic variant, reachable state, execution (fragment) 
and trace also for probabilistic I/O automata. 



Definition 13. Let A be a probabilistic I/O automaton. An execution of A is 
fair if the following conditions hold for each class C of tasks a : 
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1. If a is finite then C is not enabled in the final states of a. 

2. If a is infinite, then a eontains either infinitely many actions from C or 
infinitely many occurrences of states in which no action in C is enabled. 

Similarly, a trace of A is fair in A if it is the trace of a fair execution of A. 
The sets of fair executions and fair traces of A are denoted by fexecs(A) and 
ftraces(A) respectively. 

Definition 14. Let A and B be probabilistic automata with ext a = exts. Let r 
be a mapping from states a to states b ■ Then r induces a relation rC frags (^4) x 
frags(B) as follows: if a = sqUiSi • • ■ G frags(A), X is the index set of a, (3 = 

■ ■ ■ G frags{B) and J is the index set of /3, then arf) if and only if there 

is a surjective, nondecreasing index mapping m \ X ^ J , such that for all i Gl, 
j G J , 

1 . m(0) = 0 

3. if i > 0 then either of the following conditions holds 

(a) Oi = 6m(i) rn{i) = m{i — 1) + 1 or 

(b) Oi G intA A 6m(i) G A m{i) = m{i — 1) + 1 or 

(c) Oi G intA A m{i) = m{i — 1). 

In jl 7] , fair trace distribution inclusion, notation Cp-pD, is proposed as an 
implementation relation between probabilistic I/O automata that preserves both 
safety and liveness properties. 

Claim (m- Let A and B be probabilistic I/O automata. Let r be a proba- 
bilistic step refinement from A to B that relates each fair execution of A only 
to fair executions of B. Then A Eftd B. 

3.3 Timed Probabilistic I/O Automata 

Definition 15. A timed probabilistic I/O automaton A is a probabilistic au- 
tomaton enriched with a partition of ext a into input actions in a, output actions 
outA, and the set of positive real numbers or time-passage actions. We 
reqmr^ that, for all s, s', s" G states a and d, d' G with d' < d, 

1. A is input enabled, 

2. each step labelled with a time-passage action leads to a Dirac distribution, 

3. (Time determinism) if s -^a s' and s -^a s" then s' = s" . 

4 . (Wang’s axiom) s -^a s' iff 3 s" : s -^a s" and s" > a s'. 

As timed probabilistic I/O automata are enriched probabilistic automata, we can 
use the notions of nonprobabilistic variant, reachable state, and execution (frag- 
ment), also for timed probabilistic I/O automata. 

We say that an execution a of A is diverging if the sum of the time-passage 
actions in a diverges to 00 . 



^ For simplicity the conditions here are slightly more restrictive than those in 
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Definition 16. Let A, B he probabilistic or timed probabilistic I/O automata. 
A function r is a probabilistic (hyper)step refinement from A to B if r is a 
probabilistic (hyper)step refinement from the underlying probabilistic automaton 
of A to the underlying probabilistic automaton of B. 

In [22j . it is argued that, under certain assumptions (met by the automata 
studied in this paper), Ctd can be used as a safety and liveness preserving 
implementation relation between timed I/O automata. In addition, the relation 
I^DFTD is proposed as a safety and liveness preserving implementation relation 
between timed probabilistic I/O automata and probabilistic I/O automata. 

Claim (m- Let A be a timed probabilistic I/O automaton and let B be 
a probabilistic I/O automaton. Let r be a probabilistic step refinement from 
hide{A, to B that relates each divergent execution of A only to fair execu- 
tions of B. Then A Edftd B. 

4 Description of the Protocol 

The IEEE 1394 serial bus protocol has been designed for communication between 
multimedia equipement. In the IEEE 1394 standard, components connected to 
the bus are referred to as nodes. Each node has a number of ports which are 
used for bidirectional connections to (other) nodes. Each port has at most one 
connection. 

The protocol has several layers, of which the physical layer is the lowest. 
Within this layer a number of phases are identified. The protocol enters the 
so-called tree identify phase whenever a bus reset occurs, for instance when a 
connection is added or removed. The task of this phase is to check whether the 
network topology is a tree and, if so, to elect a leader among the nodes in this 
tree. 

This is done by constructing a spanning tree in the network and electing the 
root of the tree as leader. Informally, the basic idea of the protocol is as follows: 
leaf nodes send a “parent request” message to their neighbor. When a node has 
received a parent request from all but one of its neighbors it sends a parent 
request to its remaining neighbor. In this way the tree grows from the leafs to a 
root. If a node has received parent requests from all its neighbors, it knows that 
it is has been elected as the root of the tree. It is possible that at the end of the 
tree identify phase two nodes send parent request messages to each other; this 
situation is called root contention. In this paper we will be concerned with the 
formal verification and analysis of the root contention protocol which is run in 
this case. After completion of the root contention protocol, one of the two nodes 
has become root of the network. 

Lynch pa p501] describes an abstract version of the tree identify protocol 
and suggests to elect the node with the larger unique identifier (UID) as the 
root in case of root contention. Since during the tree identify phase no UID’s 
are available (these will be assigned during a later phase of the physical layer 
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protocol) , a probabilistic algorithm has been chosen that is fully symmetric and 
does not require the presence of UID’s. 

Let us, for simplicity, refer to the two contending nodes as node 1 and node 
2. The timed probabilistic I/O automata describing the behavior of these nodes 
are given in Figure Q using the lOA syntax of |S| extended with a simple form 
of probabilistic choice. Roughly, the protocol works as follows. When a node 
i has detected root contention it first flips a coin (i.e., performs the action 
Flip(i)). If head comes up then it waits a short time, somewhere in the interval 
[(5fast, L\fast]- If tail comes up then it waits a long time, somewhere in the interval 
[(5siow, L\siow]- So 0 < (5fast < -Afast < <5siow < ^siow After the waiting period has 
elapsed, either no message from the contender has been received, or a parent 
request message has arrived. In the first case the node sends a request message 
to its contender (i.e., performs the action Send(i, req)), in the second case it 
sends an acknowledgement message (i.e., performs the action Send(i, ack)). As 
soon as a node has sent an acknowledgement it declares itself to be the root (via 
the action Root(i)), and whenever a node has received an acknowledgement 
it assumes that its contender will become root and it declares itself child (via 
the action Child(i)). If a node that has sent a request subsequently receives a 
request, then it concludes that there is root contention again, and the protocol 
starts all over again. The basic idea behind the protocol is that if the outcomes 
of the coin flips are different, the node with outcome tail (i.e., the slow one) will 
become root. And since with probability one the outcomes of the two coin flips 
will eventually be different, the root contention protocol will terminate (with 
probability one). 

The timed probabilistic I/O automaton for node i (i = 1,2), displayed in 
Figure [fl has five state variables: variable status tells whether the node has 
become root, child, or whether its status is still unknown; variable coin records 
the outcome of the coin flip; variable snt records the last value (if any) that 
has been sent to the contender and may take values req, ack or T; similarly rec 
records the last value that has been received (if any); variable x, finally, models 
the arbitration timer that records the time that has elapsed since root contention 
has been detected. We use two auxiliary functions mindelay and maxdelay from 
Toss to Reals given by, for c G Toss, 



mindelay(c) = if c = head then Jfast else Jgiow 
maxdelay(c) = if c = head then zifast else Zlgiow 



Now it should not be difficult to understand the precondition/effect style defi- 
nitions in Figure tn except maybe for the definition of the Time(d) transitions. 
This part states that time will not progress if the status of the node is unknown 
and (1) an acknowledgement has been sent, or (2) an acknowledgement has been 
received, or (3) a parent request has both been sent and received. In the first case 
the automaton will instantaneously perform a Root(i) action, in the second case 
it will perform a Child(i) action, and in the third case there is contention and 
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type P = enumeration of 1,2 
type M = enumeration of _L, req, ack 
type Status = enumeration of unknown, root, child 
type Toss = enumeration of head, tail 
automaton Node(i: P) 
states 

status : Status := unknown, 
coin : Toss, 
snt : M req, 

rec : M req, 

X : Reals := 0 
signature 

input Receive (const 
output Send (const i. 

Root (const i) 
internal Flip(const i), 

Child(const i) 

delay Time(d: Reals) where d > 0 
transitions 

internal Flip(i) 

pre status = unknown A snt = req A rec = req 
head i 



, m: M) where m t^_L 
m: M) where m t^_L, 



eff coin := 



tail 



X := 0; 

snt :=-L; 
rec :=_L 

output Send(i, m) 

pre status = unknown A snt =_L 
A X > mindelay(coin) 

A m = if rec =_L then req else ack 
eff snt m 
input Receive (i, m) 
eff rec m 
output Root(i) 

pre status = unknown A snt = ack 
eff status root 
internal Child (i) 

pre status = unknown A rec = ack 
eff status child 
delay Time(d) 

pre status = unknown => 

(snt 7^ ack A rec 7^ ack A ^(snt = req A rec = req) 
A snt =_L=> X + d < maxdelay(coin)) 



eff X := X + d 



Fig. 1. Node automaton. 
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the automaton will flip a coin0 The last clause in the precondition of Time(d) 
enforces that a Send(i, m) action is performed within either Z\fast or /isiow time 
after the coin flip (depending on the outcome) . Once the status of the automaton 
has become root or child there are no more restrictions on time passage. 

The two automata for node 1 and node 2 communicate via wires, which are 
modeled as the timed probabilistic automata Wire(l, 2) and Wire(2, 1) specified 
in Figure |21 We assume an upper bound T > 0 on the communication delay. 



automaton Wired: P, j: P) 
states 

msg : M :=T, 

X : Reals 0 
signature 

input SendCconst i, m: M) where m t^T 
output Receive (const j, m: M) where m t^T 
delay Time(d: Reals) where d>0 
transitions 

input Send(i, m) 
eff msg m; 

X := 0 

output ReceiveCj, m) 
pre m = msg 
eff msg :=T 
delay Time(d) 

pre msg t^T=> x + d < T 
eff X := X + d 



Fig. 2. Wire automaton. 



The full system can now be described as the parallel composition of the two 
node automata and the two wire automata, with all synchronization actions 
hidden (see Figure El . 



Impl = hide Send(i, m), Receive(i, m) for i : P, m : M in 

compose Node(l); Wire(l, 2); Node(2); Wire(2, 1) 



Fig. 3. The full system. 



^ Note that in each of these three cases we abstract in our model from the computation 
time required to perform these actions. 
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Remark 1. As Segala ^ points out in his thesis, it would be useful to study the 
theory of receptiveness Hi in the context of randomization. As far as we know, 
nobody has taken up this challenge yet. Intuitively, an automaton is receptive if 
it does not constrain its environment, for instance by not accepting certain inputs 
or by preventing time to pass beyond a certain point. Behavior inclusion is used 
as an implementation relation in the I/O automata framework and we exclude 
trivial implementations by requiring that an implementation is receptive. 

If we replace all probabilistic choices by nondeterministic choices in the au- 
tomata of this section, then the resulting timed I/O automata are receptive in 
the sense of m- Even with a more restrictive definition of receptivity, in which 
we allow the environment to resolve all probabilistic choices, the automata of 
this section remain receptive. 

5 Verification and Analysis 

Of course the key correctness property of the root contention protocol which we 
would like to prove is that eventually exactly one node is designated as root. This 
correctness property is described by the two state probabilistic I/O automaton 
Spec of Figure 0 



We will establish that Impl implements Spec, provided the following two con- 
straints on the parameters are met: 



automaton Spec 
states 

done : Bool := false 
signature 

output RootCi: P) 
transitions 

output Root(i) 



pre done = false 
eff done = true 



tasks 

One block 



Fig. 4. Specification. 



4ffast 20 < (islow 



( 1 ) 

(2) 



Within our proof, we introduce three intermediate automata II, 12 and 13, and 
prove that 
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These results (or more precisely the refinements that are established in their 
proofs) are then used to obtain that 



Impl Ctd II Edftd 12 Ep'j'q 13 Cftd Spec. 



II is a timed probabilistic I/O automaton, which abstracts from all the mes- 
sage passing in Impl, while preserving the probabilistic choices as well as most 
information about the timing of the Root(i) events. 12 is a probabilistic I/O au- 
tomaton which is identical to 1 1 , except that all real-time information has been 
omitted. In 13 the two coin flips from each node of the protocol are combined 
into a single probabilistic transition. 



5.1 Invariants 

We will show that there exists a probabilistic step refinement from Impl to an 
intermediate automaton II. In order to establish a refinement, we first need to 
introduce a number of invariants for automaton Impl. 

We use subscripts 1 and 2 to refer to the state variables of Node(l) and 
Node(2), respectively, and subscripts 12 and 21 to refer to the state variables 
of Wire(l, 2) and Wire(2, 1), respectively. So, xi denotes the clock variable of 
Node(l), xi 2 the clock variable of Wire(l, 2), etc. Within formulas we further 
use the following abbreviations, for i G P, 

Cont(i) = snti = req A (reci = req V = req) 

Wait(i) = snti == reCi =_L 
(5i = mindelay(coini) 

A± = maxdelay(coini) 

Predicate Cont(i) states that node i has either detected contention (a request 
has both been sent and received) or will do so in the near future (the node has 
sent a request and will receive one soon). Predicate Wait(i) states that node has 
dipped the coin and is waiting for the delay time to expire; no message has been 
received yet. State function 6 ± gives the minimum delay time for node i, and 
state function Z\i the maximum delay time (both state functions depend on the 
outcome of the coin flip) . 

We claim that assertions rHi- li I nil below are invariants of automaton Impl. 



xi > 0 (3) 

statusi = unknown A snti feq ^ Xi < Z\i (4) 

snti = a,ck ^ Xi > S± (5) 

statuSi = root ^ snti = ack (6) 

statuSi = child ^ reCi = ack (7) 
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Xij > 0 (8) 

msgij Xij < r (9) 

Cont(i) Cont(j) xi — xj | < F (10) 

Cont(i) A ^Cont(j) Wait(j) A msg.j =_L Axj < F (11) 

msgij recj =± (12) 

msg^j snti =± Vrecj VCont(i) (13) 

msgj^j = req A ^Wait(i) ^ snti = req A sntj ^ ack A 

(5i < Xi - Xij < Zli (14) 

msgj^j = req A Wait(i) =A sntj = req A Xi < Xij (15) 

snti =-L AreCi = req ^ sntj = req A recj =± AXj > (16) 

reci = aek sntj = aek (17) 

msgj^j = aek snti = ack (18) 

snti = ack ^ reCi = sntj = req A reCj ^ req A Xj > (5j (19) 



Assertions ®-0 are local invariants, which can be proven straightforwardly for 
automata Node(i) and Wire(i, j) in isolation. Most of the time nodes 1 and 2 
are either both in contention or both not in contention. Assertion (ITHli states 
that in these cases the values of the clocks of the two nodes differ by at most 
F. Assertion (HU expresses that the only case where node i is in contention but 
the other node j is not occurs when j has just flipped a coin but the request 
message that j sent to i has not yet arrived or been processed. If a channel 
contains a message then nothing has been received at the end of this channel 
dE|. If the channel from i to j is empty then either no message has been sent 
into the channel at i, or a message has been received at j , or we have a situation 
where i is in contention and j has just flipped a coin and moved to a new phase 
If the channel from i to j contains a request message then there are two 
possible cases. Either i has sent the message and is waiting for a reply dm , or 
there is contention and i has just flipped a coin II I dll . If i has received a request 
message without having sent anything, then j has sent this message but has 
not received anything II 1 611 . The last three invariants deal with situations where 
there is an acknowledgement somewhere in the system III Yll - lll t)ll . In these cases 
the global state is almost completely determined: if an acknowledgement is in a 
channel or has been received then it has been sent, and if a node has sent an 
acknowledgement then it has received a request, which in turn has been sent by 
the other node. 

The proofs of the following two lemmas are tedious but completely standard 
since they only refer to the non-probabilistic automaton Impl“ . Detailled proofs 
can be obtained via URL http://www.cs.kun.nl/~fvaan/PAPERS/SVproofs. 

Lemma 1. Suppose state s satisfies assertions iT^) - /l / .tl) and s ^ s' . Then 

s 1= msg,^j = reCj =T and s' |= Cont(i) <tA Cont(j). 

Lemma 2. Assertions f-A) hold for all reachable states oflm.pl. 
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Remark 2. The first constraint on the timing parameters (T < i5fast) is used 
in the proof of Lemma Q] and ensures that there can never be two messages 
travelling in a wire at the same time. This property allows for a very simple 
model of the wires, in which a new message overwrites an old message. The 
constraint is not needed to prove the correctness of the algorithm. Nevertheless, 
since the constraint is implied by the standard, we decided to include it as an 
assumption in our analysis. 

5.2 The First Intermediate Automaton 

Intermediate automaton II is displayed in Figure|^ This probabilistic timed I/O 
automaton records the status for each of the two nodes to be either init, head, 
tail, or done. In addition II maintains a clock x to impose timing constraints 



automaton II 



type Phase = enumeration of init, head, tail, done 
states 

phase : Array[P, Phase] := constant(mit), 

X : Reals := 0 
signature 

output RootCi: P) 
internal Flip(i: P), 

Retry(c: Toss) 

delay Time(d: Reals) where d > 0 
transitions 

internal Flip(i) 

pre phase [i] = init 



if phase [next (i)| 7 ^ init then 2 ; := 0 
output Root(i) 

pre {phase [1], phase [2]} C {head, tail} 

A -n(phase[i] = head A phase[next(i)[ = tail) 
A X > mindelay(phase[i]) — F 
eff phase := constant( done) 
internal Retry(c) 

pre phase = constant(c) 

A X > mindelay(c) 
eff phase := constant(mit); 



delay Time(d) 

pre init G {phase [ 1 ], phase [ 2 ]} x + d < F 
A {phase [1], phase [2]} C {head, tail} => 

a; + d < max(maxdelay(phase[lj), maxdelay(phase[ 2 ])) 
eff X := x + d 




a; := 0 



Fig. 5. Intermediate automaton II. 
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between events. Apart from the delay action there are three actions: Flip(i), 
which corresponds to node i flipping a coin, Root(i), which corresponds to node 
i declaring itself to be the root, and Retry(c), which models the restart of the 
protocol in the case where the outcome of both coin flips is c. Node i performs 
a (probabilistic) Flip(i) action in its initial state. A Root(i) transition may 
occur if both nodes have flipped a coin and it is not the case that the outcome 
for i is head and for j tail. A Retry(c) transition may occur if both nodes have 
flipped c. Clock x is used to express that both nodes flip their coin within time 
r after the (re-)start of the protocol. In addition it ensures that subsequently 
(depending on the outcome of the coin flips) at least (5fast — A or (5siow — A time 
and at most Zifast or Agiow time will elapse before either a Root(i) or a Retry(c) 
action occurs. 

Proposition 1 . Impl Ctd H- More specifically the conjunction, for ± G P, of 

phase[i] = if statusi = root V status2 = root then done else 
if Cont(i) then init else coiiii fi fi 
X = if Cont(l) V Cont( 2 ) then min(xi2 5^2i) else min(xi,X2) 
determines a probabilistic step refinement from Impl to II. 

Proof. Routine. See http : //www. cs . kun.nl/~fvaan/PAPERS/SVproof s. 

Remark 3. The second constraint on the timing parameters (Z\fast + 2 T < <5siow) 
is used in the proof of Proposition Q and ensures that contention may only occur 
if the outcomes of both coin flips are the same. This property is needed to prove 
termination of the algorithm (with probability 1 ). 

Remark j. Figure El gives the values for some of the relevant parameters of the 
protocol as listed in the standard IEEE 1394 0 and in the more recent draft 
standard IEEE 1394a ^Dj. Interestingly, the values in two documents are differ- 
ent. Given our timing constraints (Cfl) and ( 0 , this leads to a maximum value for 



Timing constant 


Min (1394) 


Max (1394) 


Min (1394a) 


Max (1394a) 


ROOT_CONTENT_FAST 

ROOT_CONTENT_SLOW 


0.24/rs 

0.57fis 


0.26/rs 

0.60ys 


0.76/rs 

1.60/rs 


0.80/is 

1.64/is 



Fig. 6 . Timing parameters. 



r of 0-57-o.26 ^g _ q x 55 ^s for IEEE 1394, and i-so-o.s ^g _ q 4 ^^ £qj. draft 
IEEE 1394a. With the maximal signal velocity of 5.05ns /meter that is speci- 
fied in both documents, this gives a maximum cable length of appr. 31 meter 
for IEEE 1394 and 79 meter for IEEE 1394a. However, these values should be 
viewed as upper bounds since within our model we have not taken into account 
the processing times of signals. IEEE 1394 specifies a maximum cable length of 
4.5 meter. 
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Remark 5. In uni it is claimed that if both nodes happen to select slow timing 
or if both nodes select fast timing, contention results again. This is incorrect. 
In automaton II each of the two nodes may become root if both nodes hap- 
pen to select the same timing delay. This may also occur within a real-world 
implementation of the protocol: if in the implementation the timing parameters 
of one node are close to their minimum values, in the other node close to their 
maximum values, and if the communication delay is small, then it may occur 
that a message of node i arrives at node j before the timing delay of node j 
has expired. In fact, by instantiating the timing parameters differently in dif- 
ferent devices (for instance via some random mechanism!) one may reduce the 
expected time to resolve contention. Unfortunately, a more detailed analysis of 
this phenomenon falls outside the scope of this paper. 



Remark 6. Another way in which the performance of the protocol could be im- 
proved is by repeatedly polling the input during the timing delay, rather than 
checking it only at the end. We suggest that, if the process receives a request 
when the timing delay has not yet expired, then it immediately sends an ac- 
knowledgement (and declares itself root). If the process has not received a re- 
quest during the timing delay, then it sends a request and proceeds as the current 
implementation. In a situation where node i flips head and selects a timing delay 
of (5fast and the other node j flips tail and selects a timing delay of Agiow, our 
version elects a leader within at most (5fast + 3T, whereas in the current version 
this upperbound is Agiow + 3T. 

5.3 The Second Intermediate Automaton 

In Figure0the second intermediate automaton 12 is described. 12 is a probabilis- 
tic I/O automaton that is identical to II except that all real-time information 
has been abstracted away; instead a (trivial) task partition is included. The proof 
of the following Proposition |21 is easy: the projection function tt from II to 12 
trivially is a probabilistic step refinement (after hiding of the time delays). 

Proposition 2. II Ctd 12. 



Proposition 3. If a G execs(ll) is diverging tt relates a and j3, then P is fair. 

The result formulated in the Proposition 0 above follows by the fact that a 
diverging execution of II either contains infinitely many Retry actions, or con- 
tains an infinite suffix with a Root(i) transition followed by an infinite number of 
delay transitions. Now the claim at the end of Section FO implies II Udftf 12. 

5.4 The Third Intermediate Automaton 

Figure 0 gives the lOA code for the probabilistic I/O automaton 13. This au- 
tomaton abstracts from 12 since it only has a single probabilistic transition. 
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automaton 12 
states 

phase : Array[P, Phase] := constant(init) 
signature 

output Root(i: P) 
internal Flip(i: P), 

Retry(c: Toss) 



transitions 

internal Flip(i) 

pre phase [i] = init 

f head 



eff phase [i] := 



tail 



2 

2 



output Root(i) 

pre {phase [1], phase [2]} C {head, tail} 

A ^(phase[i| = head A phase [next (i)| 
eff phase := constant(done) 
internal Retry(c) 

pre phase = constant(c) 
eff phase := constant(inif) 



tasks 

One block 



tail) 



Fig. 7. Intermediate automaton 12. 



automaton 13 

type Loc = enumeration of init, win\,win2, same, done 

states 

loc : Loc := init 
signature 

output RootCi: P) 
internal Flips, 

Retry 



transitions 

internal Flips 
pre loc = init 



{ win I 
win 2 
same 



1 

4 

1 

f 

2 



output Root(i) 

pre loc e [win±, same} 
eff loc := done 
internal Retry 

pre loc = same 
eff loc := init 



tasks 

One block 



Fig. 8. Intermediate automaton 13. 
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Within automaton 13, init is the initial state and done is the final state in which 
a root has been elected. The remaining states wini, win 2 , same correspond to 
situations in which both processes have Hipped but no leader has been elected 
yet. The value win± indicates that the results are different and the outcome of 
i equals tail. In state same both coin flips have yielded the same result. 



Proposition 4. 12 13. More specifically, the following function r from 

(reachable) states of 12 to discrete probability spaces over states of 13 is a prob- 
abilistic hyper step refinement from 12 to 13 (we represent a state with a list 
containing the values of its variables): 



r{init, init) = {init i— > 1} 
r{head,init) = {win 2 ^,same 
r{init, head) = {wini i, same 
r{tail, init) = {wini same 
r{init, tail) = {win 2 same 
r{head, head) = {same 1} 
retail, tail) = {same 1 -^ 1} 
r{head, tail) = {win 2 >— *■ 1} 
retail, head) = {wini 1 — *■ 1} 
r{done, done) = {done 1 — > 1} 






The proofs of the following Propositions O and 0 can be found in PJ. These 
proofs are the only places in our verification where nontrivial probabilistic rea- 
soning takes place: establishing CpxD basically amounts to proving that the 
probabilistic mechanism in the protocol ensures termination with probability 1. 
Note that the automata involved are all very simple: 12 has 10 states, 13 has 5 
states, and Spec has 2 states. 



Proposition 5. 12 Cftd 13. 



Proposition 6. 

1. 13 C-pD Spec. More specifically, the function determined by the predicate 
done loc = 4 is a probabilistic step refinement from 13 to Spec. 

2. 13 CppQ Spec. 

6 Concluding Remarks 

In order to make our verification easier to understand, we introduced three aux- 
iliary automata in between the implementation and the specification automaton. 
We also used the simpler notion of probabilistic (hyper)step refinement rather 
than the more general but also complex simulation relations (especially in the 
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timed case!) which have been proposed by Segala and Lynch The com- 

plexity of the definitions in HHum is mainly due to the fact that a single step 
in one machine can in general be simulated by a sequence of steps in the other 
machine with the same external behavior. In the probabilistic case this means 
that a probabilistic transition in one machine can be simulated by a tree like 
structure in the other machine. In the simulations that we use in this paper, 
a single transition in one machine is simulated by at most one transition in 
the other machine. In our case study we were able to carry out the correctness 
proof by using only probabilistic (hyper)step refinements. However, it is easy to 
come up with counterexamples which show that this is not possible in general. 
Grifhoen and Vaandrager [ 7 | introduce various notions of normed simulations 
and prove that these notions together constitute a complete proof method for 
establishing trace inclusion between (nonprobabilistic, untimed automata). In 
normed simulations a single step in one machine is always simulated by at most 
one step in the other machine. We think that it is possible to come up with a 
complete method for proving trace distribution inclusion between probabilistic 
automata by defining probabilistic versions of the normed simulations of 0. 

For timed automata, trace inclusion is in general not an appropriate im- 
plementation relation. In the coarser notion of timed trace inclusion is ad- 
vocated instead. Similarly, m suggests the notion of timed trace distribution 
inclusion as an implementation relation between probabilistic timed automata. 
Since trace distribution inclusion implies timed trace distribution inclusion, and 
the two preorders coincide for most practical cases, we prefer to use the much 
simpler proof techniques for trace distribution inclusion. 

The idea to introduce auxiliary automata in a simulation proof has been 
studied in many papers, see for instance P]. The verification reported in this 
paper indicates that the introduction of auxiliary automata can be very useful 
in the probabilistic case: it allowed us to first deal with the nonprobabilistic 
and real-time behavior of the protocol, basically without being bothered by 
the complications of randomization; nontrivial probabilistic analysis was only 
required for automata with 10 states or less. 

As a final remark we would like to point out that the root contention pro- 
tocol which we discussed in this paper is essentially finite state. It is therefore 
an interesting challenge for tool builders to analyze this protocol fully automat- 
ically. Most of the verification effort in our case study was not concerned with 
randomization at all, but just consisted of standard invariant proofs. In fact, one 
could use existing tools for the analysis of timed automata such as Uppaal |3|, 
Kronos ^ and HyTech 0 to check these invariants. It would be especially in- 
teresting to derive the constraints on the timing parameters fully automatically 
(at the moment only HyTech jS] can do parametric analysis). Tool support will 
be essential for the analysis of more detailed models of the protocol in which 
also computation delays have been taken into account. 
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Abstract. We consider the timed automata model of [2|, which allows 
the analysis of real-time systems expressed in terms of quantitative tim- 
ing constraints. Traditional approaches to real-time system description 
express the model purely in terms of nondeterminism; however, we may 
wish to express the likelihood of the system making certain transitions. 
In this paper, we present a model for real-time systems augmented with 
discrete probability distributions. Furthermore, using the algorithm of 
^ with fairness, we develop a model checking method for such models 
against temporal logic properties which can refer both to timing proper- 
ties and probabilities, such as, “with probability 0.6 or greater, the clock 
X remains below 5 until clock y exceeds 2” . 



1 Introduction 

The proliferation of digital technology embedded into real-life environments has 
led to increased interest in computer systems expressed in terms of quantitative 
timing constraints. Examples of such real-time systems include communication 
protocols, digital circuits with uncertain delay lengths, and media synchroniza- 
tion protocols. A number of frameworks exist within which the formal reasoning 
and analysis of such systems can be carried out. A formalism that has received 
much attention, both in terms of theoretical and practical developments, is that 
of timed automata; in particular, the theory of automatically verifying timed 
automata against properties of a real-time temporal logic is advanced, and is 
supported by a number of tools |El IB| ■ 

Traditional approaches to the formal description of real-time systems express 
the system model purely in terms of nondeterminism. However, it may be desir- 
able to express the relative likelihood of the system exhibiting certain behaviour. 
For example, we may wish to model a system for which the likelihood of a certain 
event occurring changes with respect to the amount of time elapsed. This notion 
is particularly important when considering fault-tolerant systems. Furthermore, 
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we may also wish to refer to the likelihood of certain temporal logic properties 
being satisfied by the real-time system, and to have a model checking algorithm 
for verifying the truth of these assertions. The remit of this paper is to address 
these problems. 

Therefore, we present a model for real-time systems that are described par- 
tially in terms of discrete probability distributions, and an automatic verification 
method for this model against a new, probabilistic real-time logic. The system 
model is called a probabilistic timed graph, and differs from the timed automata 
based model of 0 in the following respects. Firstly, the edge relation of proba- 
bilistic timed graphs is both nondeterministic and probabilistic in nature. More 
precisely, instead of making a purely nondeterministic choice over the set of cur- 
rently enabled edges, we choose amongst the set of enabled discrete probability 
distributions, each of which is defined over a finite set of edges. We then make a 
probabilistic choice as to which edge to take according to the selected distribu- 
tion. As with usual timed automata techniques, the underlying model of time is 
assumed to be dense; that is, the time domain is modelled by the reals (M) or 
rationals (Q). However, in contrast to 0, probabilistic timed graphs are defined 
over weakly monotonic time, which allows us to express the notion of more than 
one system event occurring at a given point in time. 

Furthermore, we adapt the specification language commonly used for stating 
real-time system requirements, TCTL (Timed Computation Tree Logic) 1 1 4] . 
to cater for probability. A common approach taken in probabilistic temporal 
logics is to augment certain formulae with a parameter referring to a bound 
on probability which must be satisfied for the formula to be true. For example, 
[(j)i^(j) 2 ]>p is true if the probability of [(j)i3h((j)2\ is at least p. Therefore, we 
develop our specification language, PTCTL (Probabilistic Timed Computation 
Tree Logic), by adding such probabilistic operators to TCTL. The resulting logic 
allows us to express such quality of service properties as, “with probability 0.7, 
there will be a response between 5 and 7 time units after a query” . 

The denseness of the time domain means that the state space of timed au- 
tomata is infinite. Therefore, automatic verification of timed automata is per- 
formed by constructing a finite-state quotient of the system model. This quotient 
takes the form of a state-labelled transition system which represents all of the 
timed automaton’s behaviours, and which can be analyzed using analogues of 
traditional model checking techniques. We adopt this method in order to con- 
struct a finite quotient of probabilistic timed graphs; naturally, the transitions of 
the resulting model are both nondeterministic and probabilistic in nature, and 
therefore the model checking methods employed must accommodate this charac- 
teristic. The verification algorithms of jS] are used for this purpose. However, they 
are defined with respect to PBTL (Probabilistic Branching Time Logic), which 
does not allow the expression of dense timing constraints. Hence, we present 
a method for translating a given PTCTL formula into a corresponding PBTL 
formula. The model checking algorithm of 0 is then used to verify the PBTL 
properties over our probabilistic-nondeterministic quotient structure, the results 
of which allow us to conclude whether the original probabilistic timed graph 
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satisfied its PTCTL specification. Furthermore, the verification methods of |SI 
allow us to model check fair paths of the quotient construction. In the context of 
real-time systems, fair paths correspond to behaviours which allow the progress 
of time, a notion which also corresponds to realisable behaviours. 

An example of a real-time system which could be subject to these techniques 
is the bounded retransmission protocol, which is modelled as a network of purely 
nondeterministic timed automata in j0|. Each communication channel is repre- 
sented as a timed automaton which features a nondeterministic choice over two 
edges, one of which corresponds to the correct transmission of the message, the 
other to the message’s loss. Using our framework, the relative likelihood of such 
a loss occurring could be represented by replacing this nondeterministic choice 
by a probabilistic choice between the two edges; for example, a probabilistic 
timed graph could be used to model that a message is lost with probability 0.05 
each time a communication channel is used. Similarly, the system requirements 
of the bounded retransmission protocol could be expanded to admit reasoning 
about the probability of certain system behaviours. For instance, we may require 
that, with probability at least 0.99, any data chunk transmitted by the sender 
is successfully processed by the receiver within 10 time units. 

The model presented in this paper has similarities with other frameworks for 
probabilistic real-time systems. In particular, the approach of m is also to aug- 
ment timed automata with discrete probability distributions; however, these dis- 
tributions are obtained by normalization of edge-labelling weights. Furthermore, 
the model checking algorithm of is with respect to an action-based logic, 
rather than a state-based logic such as PTCTL. A dense time, automata-based 
model with discrete and continuous probability distributions is presented in 
along with a quotient construction and TCTL model checking method similar to 
that of | 2 |. However, the model of Alur et al. does not permit any nondetermin- 
istic choice, and its use of continuous probability distributions, while a highly 
expressive modelling mechanism, does not permit the model to be automatically 
verified against logics which include bounds on probability. Furthermore, note 
that the temporal logic of HH has syntactic similarities with the logic PTCTL, 
although this former logic is interpreted with respect to discrete, not dense time. 

The paper proceeds as follows. Section 2 introduces some preliminary con- 
cepts and notation relating to execution sequences. Section 3 presents the under- 
lying model of our probabilistic timed graphs, which are used to interpret for- 
mulae of the logic, PTCTL, introduced in section 4. Probabilistic timed graphs 
are defined in section 5 as our model for probabilistic-nondeterministic real-time 
systems, and a method for translating them into their underlying probabilistic 
timed structure is presented. Section 6 explores the model checking problem for 
probabilistic timed graphs, and presents a finite-state quotient construction for 
this model, a method for translating a PTCTL formula into a series of equiva- 
lent PBTL formulae, and finally a verification method. To conclude, section 7 
analyzes the complexity of the model checking technique, and suggests further 
directions of research. 
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2 Preliminaries 



Labelled paths (or execution sequences) are non-empty finite or infinite se- 
quences of the form: 



w = tJo 






0-2 



where ai are states and h are labels for transitions. We use the following notation 
for such paths. Take any path uj. Then the first state of w is denoted by first{iS). If 
(jj is finite then the last state of w is denoted by last{oj). The length of a path, |w|, 

is defined in the usual way: if uj is the finite path w = tJo ’ ’ ’ — — ^ cr„, 

then |w| = n; if w is an infinite path, then we let |o;| = oo. If A: < |o;| then 
(jj{k) denotes the fc-th state of oj and step{uj,k) is the label of the k-th step 
(that is, w(fc) = cTfc and step{u;,k) = Ik)- is the fc-th prefix of uj; that is, if 

fc < |w| then = o-g 0-;^ ^nd if fc > |w| then = uj. If 

UJ = ao (Ti - ^> (T„ is a finite path and uj' = ctq — ^ cr( — b- • • • is a 

finite or infinite path with last{uj) = first(uj'), then we let the concatenation of 
UJ and uj' be: 

/ Iq ll In-l Iq I 

UUJ — CTq > a I CT2 • • • <7n ^ O’ i ^ • ' ' 



3 Probabilistic Timed Structures 

In this section, we introduce an underlying model for probabilistic timed graphs, 
called probabilistic timed structures, which are obtained by augmenting the timed 
structures of m with a probabilistic choice over transitions. More precisely, 
instead of a nondeterministic choice over transitions that consist of a real- valued 
duration and a next state, as is the case in traditional timed structures, the 
transition function of probabilistic timed structures results in a choice over pairs 
consisting of a duration and a discrete probability distribution over next states. 

Let AP be a set of atomic propositions. A clock a; is a real- valued variable 
which increases at the same rate as real-time. Let A be a set of clocks, and let 
^ : A ^ IR be a function assigning a real value to each of the clocks in this set. 
Such a function is called a clock valuation. For some C C A we write i-^- 0] 
for the clock valuation that assigns 0 to all clocks in C, and agrees with u for 
all clocks in A \ C (informally, we write iu[x 0] if C contains the single clock 
x). In addition, for some t G K, lu + 1 denotes the clock valuation for which all 
clocks a; in A take the value u{x) + t. 

Definition 1 (State). A state a is an interpretation of all propositions and a 
valuation over the set of clocks: a assigns to each proposition a in AP a boolean 
value (therefore, cr(a) € {true, false}^ and to each clock in X a non-negative 
real (therefore, a(x) G KJ. 

We denote the set of discrete probability distributions over a set S by fJ.(S). 
Therefore, each p G /j,(S) is a function p : S' — *■ [0, 1] such that 
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Definition 2 (Probabilistic Timed Structure). A probabilistic timed struc- 
ture A4, is a tuple {E, Tr, End) where E is a set of states, Tr is a function which 
assigns to each state a & E a set Tr{a) of pairs of the form (t,p) where t G IR 
and p G t^{E), and End is a set of states from which time is allowed to increase 
without hound. 



Tr{a) is the set of transitions that can be nondeterministically chosen in 
state cr. Each transition takes the form (t,p), where t represents the duration of 
the transition and p is the probability distribution used over the set of successor 
states. Therefore, given the nondeterministic choice of (t,p) G Tr{a) in state cr, 
then, after t time units have elapsed, a probabilistic transition is made to state 
cr' with probability p{<j')- 

Paths in a probabilistic timed structure arise by resolving both the nonde- 
terministic and probabilistic choices. A path of the probabilistic timed structure 
M = {E, Tr, End) is a non-empty finite or infinite sequence: 



to.Po 

U! = ao r CTi 



tl.Pl *2,P2 

!■ (72 r • • • 



where crj G E, {ti,pi) G Tr{ui) and pi{<Ti+i) > 0 for all 0 < t < |w|. 

Sets of labelled paths are denoted in the following way. Path fin is the set of 
finite paths, and Pathfin{(j) is the set of paths in Path fin such that w(0) = cr. 
Pathful is the set of paths such that to G Pathjui if either to is infinite, or to 
is finite and last {to) G End. Pathfui{<j) is the set of paths in Pathfui such that 
u;(0) = cr. 

Consider an infinite path w of Af . A position of w is a pair (z, t'), where z G IN 
and P G IR such that 0 < t' < U. The state at position (z, t'), denoted by ai + 1' , 
assigns ai{a) to each proposition a in AP, and ai{x) + t' to each clock a: in A. 
Given a path w, z, j G IN and t,t' gM such that z < \oj\, t < ti and t' < tj, then 
we say that the position (j, P) precedes the position (z,t), written {j,t') A (z,t), 
iff j < z, or j = z and t' < t. 



Definition 3 (Duration of a Path). For any path uj of a probabilistic timed 
structure M. and 0 < z < |w| zee define T>ui{i), the elapsed time until the ith 
transition, as follows: l?(j(0) = 0 and for any 1 < z < |w|.‘ 



E>^{i) = 

3=0 

We now introduce adversaries of probabilistic timed structures as functions 
which resolve all the nondeterministic choices of the model. 

Definition 4 (Adversary of a Probabilistic Timed Structure). An ad- 
versary (or scheduler) of a probabilistic timed structure Ai = (E,Tr,End) 
is a function A mapping every finite path oj of Ai to a pair {t,p) such that 
A{uS) G Tr{last{u>)). Let A he the set of all adversaries of Ai. 
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For an adversary A of a, probabilistic timed structure M = (S, Tr, End) 
we define Pathfl^ to be the set of finite paths such that step{u,i) = 
for all 1 < t < |w|, and Pathf^i to be the set of paths in Pathfui such that 
step{uj,i) = for all t G IN. 

With each adversary we associate a sequential Markov chain, which can be 
viewed as a set of paths in Ai . Formally, if A is an adversary of the probabilistic 
timed structure M, then MC^ = (Path^^,P^) is a Markov chain where: 

I ^ 'P 

P^(w,w') = < and w' = w cr 

’ 1 0 otherwise 



Definition 5 (Divergent Adversary). An adversary A of a probabilistic timed 
structure (A, Tr, End) is divergent if and only if for any infinite path oj G Pathf^i 
and t G K, there exists j G IN such that Puiij) > t. Let Adiv be the set of all 
divergent adversaries. 

Note that this definition of divergent adversaries corresponds to a common 
restriction imposed in the study of real-time systems, namely that of time- 
divergence. The traditional interpretation of this requirement is that runs of the 
real-time system that are not time-divergent can be disregarded during analysis, 
because they do not represent realisable behaviour; in our case, consideration of 
the class of divergent adversaries means that nondeterministic choice is resolved 
in such a way as to result only in time-divergent paths. 

For any probabilistic timed structure, let Epath be the smallest cr-algebra on 
Pathful which contains the sets: 

{w I w G Pathful and uj' is a prefix of w} 



for all uj' G Path fin. 

We now define a measure Prob on the cr-algebra Epath, by first defining the 
following function on the set of finite paths Path fin. 

Definition 6. Let Probfi„ : Pathfin [0, 1] be the mapping inductively defined 
on the length of paths in Pathfin as follows. Lf |w| = 0, then Probfin{w>) = 1. 
Now consider any path uj such that |w| = n -I- 1. // = uj' let: 

Probfi„{ui) = Probfi„{u}') ■ P^(u;',w) 

i 

where A is any adversary such that A{oj') = (t,p) and ui = ut' — ^ a. 



Definition 7. The measure Prob on Epath is the unique measure such that: 
Prob{{uj \ ui G Pathful and ui' is a prefix ofco}) = Probfin{uj'). 
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4 Probabilistic Timed Computation Tree Logic 

We now describe the probabilistic real-time logic PTCTL (Probabilistic Timed 
Computation Tree Logic) which can be used to specify properties of probabilistic 
timed systems. PTCTL synthesizes elements from two extensions of the branch- 
ing temporal logic CTL, namely the real-time temporal logic TCTL C3 and 
the essentially equivalent, probabilistic temporal logics pCTL and PBTL HI El 
In particular, the temporal operator lA (“until”) and the path quantifiers V and 
3 (“for all” and “there exists”, respectively) are taken from CTL, the freeze 
quantifier z.cp and the facility to refer directly to clock values are taken from 
TCTL, and the probabilistic operators [4>i'^4‘2\u\ and [4>i^lA(j)2]^x are taken 
from PBTL. Note that the freeze quantifier z.cj) is used to reset the clock z, so 
that (f> is evaluated from a state at which z = 0. Using our new logic, we can 
express properties such as, “with probability 0.6 or greater, the value of the 
system clock x does not exceed 3 before 5 time units have elapsed”, which is 
represented as the PTCTL formula z.[(x < 3)VU(z = 5)]>o.e- 

As with TCTL, PTCTL employs a set of clock variables in order to express 
timing properties; for this purpose, we introduce a set of formula clocks, Z, which 
is disjoint from X. Such clocks are assigned values by a formula clock valuation 
£ : Z ^ M, which uses the notation for clock valuations in the standard way. 

Definition 8 (Atomic Formulae). Let C be a set of clocks. A set o/ atomic 
formulae AFc is defined inductively by the syntax: 

ip ::= c < k\k < c \ ~^<p \ p\/ ip 

where c G C and k S IN. Atomic formulae of the form c < k or k < c are called 
minimal atomic formulae. 



Definition 9 (Syntax of PTCTL). The syntax o/ PTCTL is defined as fol- 
lows: 

0 true | a | </^ | (/) A (/> | -■(/) | | [4>3U4i]^x \ [4>yU4>]^x 

where a S AP is an atomic proposition, p € xuz is an atomic formula, 
z G Z, X G [0, 1], and □ is either > or >. 

Note that the values of system clocks in X and formula clocks in Z can 
be obtained from a state and a formula clock valuation, respectively. Then, if 
p G AF;tuZi and given a state cr and a formula clock valuation £, we denote 
by p[a,£] the boolean value obtained by replacing each occurrence of a system 
clock a; G A in by cr(x), and each occurrence of a formula clock z G Z in phy 
£{z). 

Definition 10 (Satisfaction Relation for PTCTL). Given a probabilistic 
timed strueture A4 and a set A of adversaries of M., then for any state a of 
A4, formula cloek valuation £, and PTCTL formula (j), the satisfaetion relation 
a, £ 4> is defined inductively as follows: 
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(7, £ 1=^ true 


for all a and £ 


fj, £ \— 0, 


cr(a) — true 


cr, f 


Lp[a, £] = true 


cr, £\=y^(j)iA 4>2 


(7, £ 1=^ (fi and cr, £ 4>2 


cr, £ h.4 


a,£ (j) 


a,£ z.fi 


cr,£[z 1 -^ 0] (j) 


[^1 4'2]^\ 


Prob{{uj 1 a; G Path'^fia) huj,£ \=j^ fii U (( 12 }) 3 A 




for some A G A 


[^1 4’2]^X 


Prob{{uj \uj G Path'^fia) huj,£ fii U 4>2}) 3 A 




for all A G A 


UJ,£ 1=^ (fi U (j)2 


there exists t G IN, and 0 < t < ti such that 




uj{i) -\-t,£-G T>i^{i) -G t |=_^ ^ 2 , and for all j G IN 




and F G IR such that t' < tj and {j,t') -< (i,t), 




‘^{j) X t' ,£ -G T>uj{j) + t' \=^ </>i V ^2 



5 Probabilistic Timed Graphs 

This section introduces probabilistic timed graphs as a modelling framework for 
real-time systems with probability. This formalism is derived from timed graphs 
a variant of timed automata for which model checking of TCTL properties 
can be performed. Here, we extend timed graphs with discrete probability dis- 
tributions over edges, so that the choice of the next location of the graph is 
now probabilistic, in addition to nondeterministic, in nature. Furthermore, we 
incorporate invariant conditions HH into the probabilistic timed graph in order 
to enforce upper bounds on the time at which certain probabilistic choices are 
made. 

Definition 11 (Probabilistic Timed Graph). A probabilistic timed graph is 
a tuple G= {S,L,Stnit,X,inv,prob,{Ts)ses) where 

— a finite set S of nodes, 

— a function L : S — > 2^^ assigning to each node of the graph the set of 
atomic propositions that are true in that node, 

— a start node Smit S S, 

— a finite set X of clocks, 

— a function inv : S — > AF assigning to each node an invariant condition, 

— a function prob : S — *■ x 2'^)) assigning to each node a (finite non- 

empty) set of discrete probability distributions on S x 2^, 

— a family of functions {Ts)seS where for any s G S: Ts : prob{s) — > XF x 
assigns to each ps G prob{s) an enabling condition. 

For simplicity, the invariant and enabling conditions are subject to the fol- 
lowing assumption: if, in some state in the execution of G, allowing any amount 
of time to elapse would violate the invariant condition of the current node, then 
the enabling condition of at least one probability distribution is satisfied. U 

^ Another solution is to identify an additional discrete probability distribution G 
g{S X 2'^) with each s G 5, which becomes enabled in s at the points for which 
progression of any amount of time would violate the node’s invariant inv{s). 
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The system starts in node Smit with all of its clocks initialized to 0. The 
values of all the clocks increase uniformly with time. At any point in time, if the 
system is in node s and the invariant condition will not be violated by letting 
time advance, then the system can either (a) remain in its current node and 
let time advance, or (b) make a state transition if there exists a distribution 
Ps G prob{s) whose corresponding enabling condition Ts{ps) is satisfied by the 
current values of the clocks. Alternatively, if the invariant condition will be vio- 
lated by letting time advance then the system must make a state transition. State 
transitions are instantaneous and consist of the following two steps performed 
in succession: firstly, the system makes a nondeterministic choice between the 
set of distributions Ps € prob{s) whose corresponding enabling condition Ts{ps) 
is satisfied by the current values of the clocks. @ Secondly, supposing that the 
probability distribution ps is chosen, the system then makes a probabilistic tran- 
sition according to Ps', that is, for any s' € S and CCA, the probability the 
system will make a state transition to node s', and reset all the clocks in C to 
0, is given by Ps{s',C). 

y > 0 A X 0 




Figure 1. The probabilistic timed graph Gi. 



Example. An example of a probabilistic timed graph is given in Figure 1. 
Control of Gi initially resides in node si, with the system clocks, x and y, each 
set to 0. Node si has two outgoing edges, both of which have the same enabling 
condition, (jj > 0), and are defined with respect to the probability distribution 
Psj, as denoted by the dashed arc connecting the edges at their source. The 
bold numerals labelling the edges refer to the probabilities of the edges being 
taken, while assignment labels such as a; := 0 refer to clock resets. Therefore, the 
diagram states that when the value of y exceeds 0 and a nondeterministic choice 
has been made to take an edge according to Psi, with probability 0.3 control 
returns to si with the value of x reset to 0, and with probability 0.7 control 
switches to node S 2 - More formally, Ps^ (si, {a;}) = 0.3 and Psi(s 2 , 0) = 0.7. Also 
note that the invariant condition of si, which is shown within the body of the 
node, states that the probabilistic timed graph cannot allow time to pass if doing 

^ In the case in which we have the special probability distribution, p'™ , then this 
distribution must be taken at this point. 
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SO would take the value of either x or y above 1; in such a case, a probabilistic 
choice over the outgoing edges would be forced. The behaviour of the system 
when control resides in S 2 takes a similar form. 



Obtaining a Probabilistic Timed Structure from a Probabilistic Timed 
Graph. This section will now show that the behaviour of a probabilistic timed 
graph can be formally stated in terms of a probabilistic timed structure. First, 
the following notation must be introduced. A system clock valuation for the set 
of clocks A is a function v : X — > M. Let T(A) denote the set of all system clock 
valuations for all the clocks of A. The standard notation for clock valuations, as 
introduced in section 3, is used for system clock valuations v. 

Let (fi G AF;t and ly G r{X). Then if\v] is the boolean value obtained by 
replacing each occurrence of a clock a; € A in </? by v{x). If ^p[v\ — true then we 
say that v satisfies (p. 

Definition 12 (State of a Probabilistic Timed Graph). A state of G is a 
tuple {s,u), where s G S and v G T(A) such that v satisfies inv{s). 

To uniquely identify each node of the probabilistic timed graph, we let as be 
an atomic proposition that is true only in node s. Formally, we extend the set 
of atomic propositions to AP' = AP U {os | s G 5}, and the labelling function 
to L' : 5 — *■ 2"^^ , where L'{s) = L{s) U {cs} for all s G S. 

We now define a probabilistic timed structure to formally define the be- 
haviour of a probabilistic timed graph. Note that this definition also allows us 
to interpret PTCTL formulae with atomic propositions from AP^ over a proba- 
bilistic timed graph. 

Definition 13. For any probabilistic timed graph G, let Tr'^ , End^) 

be the probabilistic timed structure defined as follows: 

— is the set of states of G. For a given state of G, {s,iy), then the corre- 
sponding state of obtained by letting {s,iy){a) = true, if a G L'{s), for 
all a G AP^, and false otherwise, and letting (s, v){x) = v{x) for all x G X . 

— Take any (s,v) G . Then (t,p) G Tr^{{s,v)), where t S IR and p G 
Ks X r{X)), if and only if there exists Ps G prob{s) such that 

1. the clock valuation v-\-t satisfies Ts{ps), 

2. {v -\- 1') satisfies the invariant condition inv{s) for all Q <t' <t, 

3. for any (s', v'): 

P{{s',v'))= ^ ps{s',C). 

CQX 

— End‘^ comprises of states {s,u), for which, for any t G v 1 satisfies 
inv{s). 

It is now possible to define the set of adversaries of AT^ using Definitional 
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6 Model Checking Probabilistic Timed Graphs 

Note that, because all clocks are real-valued, the state space of a probabilistic 
timed graph is infinite. However, it was noted in that the space of clock 
valuations of a timed graph can be partitioned into a finite set of clock regions, 
each containing a finite or infinite number of valuations which, as noted by 
0, satisfy the same TCTL formulae. Combination of this partitioning with the 
transition systems of a timed graph induces a structure called a region graph, 
which can be used for model checking. This section will show that a similar 
construction can be used for model checking probabilistic timed graphs against 
PTCTL formulae. 



Equivalence of Clock Valuations. 

Definition 14. For any x € X let kx be the largest constant the system clock x 
is compared to in any of the invariant or enabling conditions. 

Furthermore, for any v G F(X) and x G X , x is relevant for v if v{x) < kx- 

Definition 15. For any t G IR, 1 1\ denotes its integral part. Then, for any 
t, t' gTR, t and t' agree on their integral parts if and only if: 

1. \t\ = \t'\, 

2. both t and t' are integers or neither is an integer. 

Definition 16 (Clock equivalence). For clock valuations v and v' in F{X), 
V = v' if and only if the following conditions are satisfied: 

1. Va; G X either v{x) and v'{x) agree on their integral parts, or x is not 
relevant for both v and v' , 

2. \/x, x' G X that are relevant for v, then v{x) — v{x') and v'{x) — v'{x') agree 
on their integral parts. 



Lemma 1. Let v,v' G F(X) such that v = v' . Then the following conditions 
hold: 

(a) v[C 1-^0] = p'[C 1 -^ 0] for all C C X, 

(5) for any x G X , x is relevant for v if and only if x is relevant for v' , 

(c) for any atomic formula tp G AF;^) v satisfies tp if and only if v' satisfies p. 

Proof. The proof follows from the definition of =. □ 

Let [v] denote the equivalence class to which i/ belongs, and we refer to 
elements such as (s, [v]) as regions. 

We now extend the concept of clock equivalence to formula clocks. Let {v,£) : 
A U Z ^ IR be the clock valuation that assigns a real value to each of the system 
and formula clocks, and let F*{X U Z) be the set of all such valuations for G. 
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For a (I'jS) £ F*{X U Z), and C C X LI Z, we use the notation {u,£)[C 0] 

in the usual way. For some t S K, {v + t,£ + t) denotes the clock valuation for 
which all clocks c in fh U Z take the value £){c) + t. 

The equivalence relation for such a valuation is defined with respect to a 
particular PTCTL formula 4>. For each formula clock z £ Z, we let kz be the 
largest constant that z is compared to in the atomic formulae of (j), and extend 
the notion of relevance of Definition to formula clocks in the natural way. 
Let £' be the restriction of £ over the clocks of Z that are referred to in (p. We 
can then extend the equivalence relation from = to =* simply by taking {v,£') 
instead of v and X L Z instead of X\ the definition of equivalence classes of 
the form [vt£'\ then follows in an obvious manner. Furthermore, Lemma^holds 
for =*. Because our construction of the equivalence classes will always be with 
respect to a particular p, we henceforth write £ for £' . An element of the form 
(s, [v,£]) is called an augmented region. 

Let a be an equivalence class of the form \v,£]. Then 0 ![C i— *■ 0] denotes the 
equivalence class obtained from a by setting all of the clocks in C to 0, and let 
clock c £ X L Z he relevant for a if {v,£){c) < kc, where {v',£) is some clock 
valuation such that {v,£) £ a. 



The Region Graph. We now define an edge relation over the augmented 
regions to obtain the region graph. The non-probabilistic region construction of 
P] results in a state-labelled transition system, which can be model checked using 
well-established methods. However, in our case the region graph takes the form of 
a concurrent probabilistic system | 5 | (and is also equivalent to the probabilistic- 
nondeterministic systems of [Z] ) , for which there exist model checking techniques 
for temporal logics with probability bounds. 

First, we require some preliminary definitions. 

Definition 17 (Satisfaction of formulae). Let a be an equivalence class of 
r*{X U Z) and ip £ PLP xuz be o,n atomic formula. Then a satisfies tp if and 
only if for any {v,£) £ a, the value of tp after substituting each occurrence of 
X £ X with v{x), and each occurrence of z £ Z with £{z), is true. (Note that 
the value of ip will be the same for all {v,£) £ a, by Lemma^c).) 



Definition 18 (Successor Region). Let a and (3 be distinct equivalence classes 
of r* {XL Z). The equivalence class j3 is said to be the successor of a if and only 
if, for each {v, £) £ a, there exists a positive t G IR such that {v + 1,£ + 1) £ /3, 
and {v + T ,£ + t') £ aL P for all t' < t. We then denote the equivalence class 
P by succ(a). 

The successor relation can be extended to augmented regions in the following 
way: (s',P) is the successor region of {s,a) if s' = s and P = succ(a). 



Definition 19 (End Class). Let a be an equivalence class ofT*{XLZ). The 
class a is an end class if and only if for all c £ X L Z, c is not relevant for a. 
Furthermore, for any s £ S, {s,a) is an end region. 
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We now define a region graph which captures both the probabilistic transi- 
tions in G and the movement to new regions due to the passage of time. 



Definition 20 (Region Graph). The region graph R{G,cj>) is defined to be 
the graph (V* , Steps* , End*). The vertex set V* is the set of augmented regions, 
and the set End* C V* comprises of the set of end regions. The edge function 
Steps* : V* — > Tfn{P'{V*)) includes two types of transitions:^ 



passage of time: if a is not an end class and the invariant condition inv{s) is 
satisfied by succ(a), then G Steps*{{s,a)) where for any (s',l3) G V* : 



P 



s,oc 

succ 






1 if (s', /3) = (s, succ(a)} 
0 otherwise. 



state transitions of G: p^f G Steps* {{s, a)) if there exists Ps G prob{s) and 
a satisfies the enabling condition Ts{ps) such that for any s' G S and equiv- 
alence class fi: 

czxu 

[Ci-^0]a=/3 



Definition 21 (Path on the Region Graph). Given an augmented region 
(s, a), a (s, a)-path is a finite or infinite path of the form: 

rt^ 0’<^0 r)® 2>“2 

w* = (so, Oo) > (si, ai) > (S2, 02) > • • • 

where (sojOo) = {s,a), Si G S, ai is an equivalence class of E*{X U Z) and 
pSi.oii g Steps* {{si, tti)) such t/iat ((si+i, Oi+i)) > 0. 

We define adversaries on the region graph R{G, fi) as follows: 



Definition 22 (Adversaries on the Region Graph). An adversary A* on 
the region graph is a function A* mapping every finite path u* of R{G, <T) to a 
distribution p such that p G Steps* {last{u>*)) . 



We can then define the sets of paths Path^^ and and those associated 

with an adversary, Path^.^ and Path^^^i, as before. Note that end regions take 
the role of end states in the definition of the finite paths of Pathj^^i and Pathf^i . 

With each adversary A* we can associate a Markov chain. If A* is an ad- 
versary of the region graph R{G,(j)), then MC^ = ) is a Markov 

chain where, for the augmented regions (s,a), {s', a'), and last{oj*) = {s,a): 



P"" iio*,u;'*) = 



= << P 



‘((s', a')) if A*{uj*)=p" 
otherwise 



and 



® If the model includes the distributions pf" then we need to add an extra condition 
in the definition. 
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Definition 23 (Divergent Adversaries on the Region Graph). An adver- 
sary A* is divergent if and only if for all infinite paths uj* G Pathf^i, there exist 
infinitely many n S IN such that one of the following holds: 

1. w*{n) is an end region, 

2. 1) is the successor region ofuj*{n). 

Let he the set of divergent adversaries on the region graph. 

Such divergent adversaries on the region graph R{G, 4>) correspond to an 
infinite number of adversaries on the underlying probabilistic timed structure 
, some of which will be divergent in the sense of Definition Conversely, for 
any divergent adversary of there exists a corresponding divergent adversary 
on R{G, 4>). We observe that the notion of divergent paths of R(G, 4>) induced by 
adversaries in differs from that of fair paths of the region graph as presented 
in PI because of our assumption of weakly monotonic time. 

As in, for example, HIT], we define the function Prob* as the unique measure 
on the tJ-algebra 

Model Checking. A method for model checking probabilistic timed graphs 
against PTCTL formulae will now be presented. This approach takes the form 
of three steps: construction of the region graph as a finite state representation of 
the probabilistic timed graph in question, obtaining a formula of an extension of 
the probabilistic logic PBTL, and then resolving this new formula on the region 
graph. 

First, we turn our attention to the structure over which the PBTL formula 
will be resolved. Formulae of PBTL are interpreted over ‘PBTL-structures’, 
which are concurrent probabilistic systems extended with a vertex labelling func- 
tion. As our region graph R{G, 4>) is a concurrent probabilistic system, adding 
an appropriately defined labelling function will convert it into a PBTL-structure 
which we will call a labelled region graph. We define AF,^ as the set of minimal 
atomic formulae appearing in the given PTCTL formula tp. For every atomic 
formula in G AF,^, we extend the set AP with the atomic proposition a^p. We 
denote the resulting set of atomic propositions by AP*. 

Definition 24 (Labelled Region Graph). For a given region graph R{G,(j)), 
we define its associated labelled region graph by {R{G , 4>) , L*) , where the vertex 
labelling function, L* : V* ^ 2^^ , is defined by the following. For a given 
(s, [v, £]), we let: 

L*{{s, [v,£])) = {a G L(s)} U {a^, \ [i',£] satisfies (p, (p G AF^} 

Next, we present an adjusted syntax of PBTL. Note that we omit PBTL’s 
‘bounded until’ operator, because an equivalent, dense time concept can be de- 
fined by nesting a PTCTL until operator within a freeze quantifier, and its ‘next 
step’ operator, which has no analogue in the case of dense real-time. However, 
we extend PBTL with a freeze quantifier expression. 
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Definition 25 (Syntax of PBTL). The syntax o/PBTL is defined as follows: 
^::=true | a | ^ A ^ | | 2 .^ | [<P3U<P]^\ \ 

where a € AP* is an atomic proposition, z G 2 , X G [ 0 , 1], and □ is either > or 

>. 

Definition 26 (Satisfaction Relation for PBTL). Given a labelled region 
graph {R{G , fi) , L*) and a set A* of adversaries on R{G, 4 >), then for any aug- 
mented region (s, [v,E]) of R{G, 4 >), and PBTL formula <P, the satisfaction rela- 
tion (s, [v,E]) is defined inductively as follows: 

(s, [v,£]) \=^, true for all (s, [v,£]) 

(s, [n, S]) |=_4. a AA a e L*\{s, [v, 5])) 

(s, [v, E]) 1 =^. A <?2 AA (s, [v, E]) <?i and (s, [v, E]) |=_4. T>2 

{s, [v,E:\) |=_4. AA (s, [v,E\) ^ 

(s, [v, E]) z.^ AA (s, [v, E[z ^ 0]]) f 

(s, [v,E]) |=_4. [^1 3 U ^2]da AA Proh*{{uj\u} G Pathf^i{{s, [iz,E])) & 

uj \=_^, <Pi U <p2}) A X for some A* G A* 
{s,[iy,E]) U ^2hx ^ Prob*{{u\ to G Pathf,^fi{s,[iy,E])) k 

UJ h_4. ^1 W <?2}) 3 A for all A* G A* 

UJ |=_ 4 . <PiU T >2 AA there exists z G IN, such that u;(z) |=_ 4 . T> 2 , 

and for all j G IN such that 0 < j < i and 

Furthermore, a PBTL formula, can be derived from a PTCTL formula, (j), 
by applying the following rules inductively: 



Subformula of fii 


Subformula of T>i 


true 


true 


a 


a 


T 


Qjip 


4>l A (j)2 


<l>i A T>2 






z.(j) 


z.<P 


[fii 3 U 4)2]^\ 


[T>i 3U ^2]da 


[fil V U (j)2]'n\ 


[^1 'iU ^2]da 



Figure 2 presents the region construction of the probabilistic timed graph of 
Figure 1. As before, the probabilistic transitions are linked with an arc at their 
source vertex. In order for the reader to easily comprehend the behaviour of the 
region graph, each vertex has been labelled with a constraint that is satisfied by 
all of the clock valuations within that augmented region. Consider the following 
PTCTL formula: 

<l>i = [{y = 0)3Af[(a; > 0)3U{y = 0)]>o.7]>i- 

(j>i can be interpreted over this graph by first converting it into the equivalent 
PBTL formula: 

^1 = [a(y=o)3W[a(a;>o)3Wa(j^=o)]>o.7]>i- 
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is satisfied by this region graph, and therefore we conclude that the prob- 
abilistic timed graph Gi satisfies (f>i. Note that the following PTCTL formula, 
4 > 2 , is not satisfied by the region graph: 

02 = [{y = 0)3Z^[(a; > 0)3U{y = 0)]>o.7]>i 




Figure 2. The region graph of the probabilistic timed graph G±. 



Proposition 1. (Correctness of the model checking procedure) Given 
the probabilistic timed graph G, state {s,v) of and formula clock valuation 
£ satisfies the PTCTL formula cj) if and only if vertex (s, [ly, £]) of {R{G, 0), L*) 
satisfies the PBTL formula where is derived from 0. 

Proof. Before considering any temporal or probabilistic operators, we must 
be convinced that subformulae comprising only of atomic propositions, atomic 
formulae, boolean connectives and freeze quantifiers are resolved satisfactorily. 
We proceed to show this by induction on the structure of 0. 

If 0 = true, then 0 will be true for all states of and all formula clock val- 
uations. Here 0 derives = true, which is true for all vertices in (i?(G, 0), L*). 

If 0 = a, where a € AP, then it is true for state (s, of A4^ and all 
formula clock valuations if and only if {s,v){a) = true. We also know that 
(s,u){a) = true if and only if a G L{s). By Definition 1241 a € L*{{s, [y,£])) if 
a G L{s), so ^ = a is true for the vertex (s, [v, £]). 

If 0 = where is a minimal atomic formula, then the state (s, v) of 
and formula clock valuation £ satisfies <p if <p[a,£] = true. Then, from 
Definition 131 G L*{{s,[i',£])). Because <L> = a^, and is derived from 0, 
both 0 and resolve to true in {s^v),£ and (s, f]) respectively. 

The cases of the boolean connectives, ^ and A, are self-evident. 
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If 0 = z.ipi, then, for a given state (s, v) and formula clock valuation £ that 
satisfies (j), we know that the augmented region (s, \v,£]) will also satisfy z.^i, 
by observing the following argument. By Definition cni 



{s,v),£\=j^g z.(j) {s,v),£[z ^ 0] \=,G 4> 

div div 

(s, [v,£[z 0]]) \=., <P by induction 

"^div 

(s, [j/, ^ by Definition EEl 

"^div 



Now we show that (s, v),£ \=ag \4>i 4‘2\zi\^ if and only if (s, [v, £]) |= 

"^div — "^div 

3U '? 2 ]gA- Our presentation is split into three sections: 

1 . showing that, for a path w of , a corresponding path of {R{G,(j)),L*), 

[w], can be constructed. Furthermore, both of these paths have the same 
corresponding notion of divergence; that is, uj is divergent if and only if [w] 
is divergent. It also follows that, given path lu* of the region graph, we can 
construct uj such that [w] = uj* . 

2. showing that the two paths w and [w] are associated with the same probability 
value. 

3 . showing uj,£ \=ag (j>iU(j)2 if and only if [w] \=,, <I>iU<p2, where the initial 

div "^div 

augmented state of [w] comprises of £. 



1. Consider the following property, which shall henceforth be referred to as 
the sequence property. Take a particular node of G, s G S, and a clock valuation 
(i^,£), and consider the sequence of equivalence classes, -I- di, £ -I- di], -I- 
dk,£ + dk], where each equivalence class satisfies inv{s), for all 1 < i < fc, di G M, 
and for all 1 < ^ < A:, sMcc([:^-|-dj, £-|-d/]) = [v+di+i, £+di^i\. Then, for the time 
value d G IR, where d\ < d < dfc, we know that -I- d, £ -|- d) =* (^' -|- dj, £ -I- dj), 
for some I < j < k. We can then write (i^ -I- d, £ -I- d) G -I- d^ , £ -I- dj]. 

The sequence property allows us to state the following. Consider the path uj 
of such that: 



w = {so, Vo) 



to,Po 






ti,Pi 

> ■ ■ ■ 



Take a particular z > 0. From (si,Vi), and letting ti time units elapse, we may 
cross into a number of equivalence classes before making the next edge transition. 
We let rrii be this number. Let Vio = {si, [vi,£ + T>c^{i)]), and Vij = {si, [vi + 
dj,£ + -I- dj]) for some 1 < j < rrii, and dj G M. Then we can construct 

the finite path [uji] of the region graph, such that: 



[UJ^] = ViO 



Vil 



^imj 

Ppsi 

'^irrii ^ ^( 2 + 1)0 ■ 



Let [w] = [wo][wi] • • • be the concatenation of all such segments. 

This construction also works in the opposite direction. Let (s,ai) ^ ^ 

(s, an) be a path through the region graph such that all of its edges correspond to 

Psucc transitions. Now suppose that (s,an) — ^ {s', a'). Then, assuming that 
we have a partially constructed, finite path oj of Ad® such that |o;| = i, and 
{vi,£ + T>,^{i)) G Oj, then it follows that uj can be extended by the transition 

{si, Vi) {si+i, Vij.i), where ti G IR and pi is derived from ps in the usual 

way. Therefore, we have a method for constructing infinite or finite paths of Ad® 
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from paths of {R{G, cf>),L*). We note that such paths may be finite if the region 
graph reaches an end class from which no transitions are enabled, and that paths 
induced by divergent adversaries of the region graph will guarantee the existence 
of corresponding time-divergent paths of . Then it follows that, given oj* of 
{R{G, we can construct uj of such that [u] = uj* . 

2 . Now we must show that the probability value associated with the paths oj 
and [lo] are the same. Consider the segment of w, uji = {si, Vi) ■ ' - > (si+i, t'i+i), 
and the segment of [w]: 



[Wd = ViO 



Psucc 



Vil 



Psucc 



Ppsi 

'^irrii ^ '^(i+l)0 ■ 



We wish to show that Probfin{u!i) = Probfl^{[uJi]) . Consider the transition Vij > 
for 1 < j < rrii. Then, from the sequence property and the above con- 
struction of [w], we know that is a time successor of Vij, and therefore 

phucc = 1. Therefore, our problem reduces to showing that: 



Probfin{{si,Ui 



{s^+i,v,+i)) = Probfl^{vir, 



PPS, 



^(i-K)o) ■ 



By the definitions of Prob and Prob*, this reduces to showing that: 



Pi{{s^+i,Vi+i)) = p"pl'^*{{si, [t'i+1,5 + V^{i + 1)])) . 

Firstly, we note that i^i+ti G [vi + dmi]- Because all of the system clock valuations 
in [vi -|- drui] will enable the same probability distributions, we know that the 
same distributions are enabled in {si, Vi+ti) and Virm = {si, [ui + dmi,£+'RLji'i') + 
dnii])- Furthermore, the move from {si, Vi -|- ti) to (si+i, Vi+i) in Ad®, and from 
Vimi to 'C(i+i)o in R{G,4>), will correspond to the choice of the same probability 
distribution of G. We denote this distribution by Ps, ■ Recall from Definition El 
that: 

p,((sj+i,j^,+i)) = ^ Psi{s^+i,G) , 

CQX&z 

{vi+ti)[C^0\=Vi^^ 

and from the definition of the region graph: 

ccx&i 

a[C^0]=/3 

where a = [vt + drm,£ + + dmj and /3 = [v^+\,E + V^^{i + 1) + d^+i]. 

We know that, for any G C X, [vi + ti)[G i-^ 0] G [vi + > 0], and, 

trivially, that Vi+i G and so the combinations of C C fb used in both 

summations above will be the same. Therefore, the same probability values will 
be summed in the case of Ad® and that of R{G,(j)), and we can conclude that 
Pi{{si+i,i'i+i)) = Pp’’“((si+i, /?)). We can repeat such a process for alH G IN and, 
by the definitions of Prob and Prob*, show that the probability value associated 
with the paths uj and [ w ] are the same. 

3. Next we prove uj,£ \=ag (piG(j )2 if and only if [w] ^ <PiU<d> 2 - If w(i) = 

~^div "^div 

{si, Vi) for all i G IN, then uj,£ \=jg (j)iU(j )2 
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G IN and 0 < t < ti such that oj{i) + t,£ + (i) + t \=ag (f >2 

"^div 

and Vj G IN and t' G IR such that t' < tj & {j, t') A {i, t), 

^{j) + ^^ I? + T^bj{,j) + t' l=ylG (t>i V 4>2 

div 

by Definition cni 

G IN and 0 < t < ti such that {si, [vi + t,£ + + t]) \=,, <1>2 

"^div 

and Vj G IN and t' G IR such that t' < tj & (j, t') -< {i, t), 

{sj, [vj + t' ,£ + Ttuiij) + 1=^* ^1 V ^2 

"^div 

by induction 

3f' G IN such that [uj]{i) \=a» <p 2 and [w](/) \=a» V <p 2 V/ < i' 

"^div "^div 

by construction of [to] 

[w] 1=^. <l>iU<l >2 bv Definition EHl 

~^div 

It follows by the definition of adversaries, both on probabilistic timed struc- 
tures and the region graph, and the construction of 1, that for all A G 
there exists an adversary [A] G such that, for some £, 

Path^ftkis^ = {H I e Pathf^i{{s,i^))}. 

Conversely, given a path in the region graph, we can construct a path of 
(see | 21 ). Using this construction, we can show that, for all adversaries A* G A*^i^ 
of the region graph, there exists an adversary A G such that [A] = A* . 

From 2, we know that the probability values associated with to and [w] are 
the same. Then we can conclude that: 

Prob*{u>* I Lo* G Path'll} = Prob{iu \ u G Path^^i) 
for some A G . □ 

Using the transformation presented above, we can obtain a PBTL formula, 

from the PTCTL formula, (j). Now we can use the model checking algorithm 
of 0 in order to verify whether the PBTL formula (p holds in an initial state of 
the region graph, {smit, where, for all x £ X, {i'^,£){x) = 0 and £ is an 

arbitrary formula clock valuation. 

7 Conclusions 

We conclude with a brief analysis of the complexity of our method. The time 
complexity of PBTL model checking is polynomial in the size of the system 
(measured by the number of states and transitions) and linear in the size of 
the formula ^ (see also the recent improvement ^). Since the translation from 
PTCTL to the extended PBTL has no effect on the size of the formula, it follows 
that the model checking for PTCTL against probabilistic timed systems will be 
polynomial in the size of the region graph and linear in the size of the PTCTL 
formula. Note that the addition of probability distributions to timed automata 
does not significantly increase the size of the region graph over the size of the 
non-probabilistic region graph, and that the freeze quantifier formulae we have 
added to PBTL can be handled in a straightforward manner. 
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Future work could address the potential inefficiencies of this method. Model 
checking of real-time systems is expensive, with its complexity being exponential 
in the number of clocks and the magnitude of their upper bounds (denoted by 
kc in our presentation). However, a number of techniques for combating this 
inefficiency have been developed (see m), and could be applied in this context. 

Another potential avenue of research is the application of the methods of 
this paper to hybrid automata, a model for discrete-continuous systems which 
allows more general continuous dynamics than timed automata. In particular, it 
is known that certain classes of hybrid automata are reducible to timed automata 
!I21, and other classes have finite bisimilarity quotients uni, both of which may 
be particularly adaptable to probabilistic extensions. 
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Abstract. Model checking can tell us whether a system is correct; probabilistic 
model checking can also tell us whether a system is timely and reliable. 
Moreover, probabilistic model checking allows one to verify properties that may 
not be true with probability one, but may still hold with an acceptable probability. 
The challenge in developing a probabilistic model checker able to handle realistic 
systems is the construction of the state space and the necessity to solve huge 
systems of linear equations. To address this problem, we have developed 
ProbVerus, a tool for the formal verification of probabilistic real-time systems. 
ProbVerus is an implementation of probabilistic computation tree logic (PCTL) 
model checking using symbolic techniques. We present ProbVerus, demonstrate 
its use with a simple manufacturing example, and report the current status of the 
tool. With ProbVerus, we have been able to analyze, within minutes, the safety 
logic of a railway interlocking controller with 10^^ states. 



1 Introduction 

The large size and high complexity of real-world mission-critical systems makes the 
verification of these systems an extremely difficult problem. To study the complete 
system, one must also include the system's interface with the environment. Physical 
systems are stochastic in nature and randomization makes the verification of probabi- 
listic systems even more difficult due to its nonintuitive effects. At the same time, 
industries such as the transportation, pharmaceutical, chemical, and nuclear, are 
required to meet this challenge being constantly under the scrutiny of process and 
product specification. There is a great need for industrial-strength formal methods as 
well as real-world case studies that can demonstrate their feasibility. 

Probabilistic model checking is a method for the formal verification of stochastic 
systems. The state of the art in probabilistic verification research includes numerous 
theoretical studies that have lead to efficient algorithms; for example, there is an LTL 
model checking algorithm which is exponential in the size of the formula and polyno- 
mial in the size of the Markov chain [9]. The bottleneck in developing a probabilistic 
model checker able to handle realistic systems is the construction of the state space and 
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the necessity to solve huge systems of linear equations. This paper proposes a novel 
approach; it presents an implementation of probabilistic model checking using multi 
terminal binary decision diagrams (MTBDDs) to perform the probability calculations. 
MTBDDs, introduced in [8], differ from binary decision diagrams (BDDs) in that the 
leaves may have values other than 0 and 1; in this case the leaves contain transition 
probabilities. Hachtel et al. have used algebraic decision diagrams ADDs (same as 
MTBDDs) in the Markovian steady state analysis of large finite state machines (with 
up to 10^^ states) [10]. MTBDDs can be integrated with a symbolic model checker and 
have the potential to outperform other matrix representations because they are very 
compact, by eliminating redundancy and allowing computations on sets of states rather 
than on individual states. While it is difficult to provide precise time complexity esti- 
mates for probabilistic model checking using MTBDDs, the success of BDDs in prac- 
tice made the MTBDD representation worthwhile to explore. 

We have developed ProbVerus, a probabilistic symbolic model checker, which 
combines Probabilistic Computation Tree Logic (PCTL) model checking [11] and 
symbolic techniques. PCTL, which allows the expression of time and probability, has 
been selected for its expressive power and the simplicity of the verification algorithms 
it involves. Sections 2 and 3 introduce the building blocks of ProbVerus, PCTL and 
MTBDDs. Section 4 describes ProbVerus with a short run down of the syntax and the 
semantics of ProbVerus programs. 

In section 5 we demonstrate the use of ProbVerus in the verification of engineering 
systems by modeling and analyzing the reliability of a simple manufacturing system. 
By extending model checking to the analysis of probabilistic systems, we have been 
able to model the stochastic behavior of manufacturing systems: arrival time of succes- 
sive raw workpieces, processing time on a machine, machine setup time, material han- 
dling time, message transmission time, lifetime of a tool, time to failure of a machine 
or a robot, repair time, and so on. Probabilistic model checking allows us to verify 
properties of these systems, such as “the probability of the system reaching a deadlock 
within the first 12 hours of operation is 2%”. Such information is extremely useful in 
the design of such capital-intensive systems since deadlocks and unscheduled down- 
time of equipment due to failures are major factors on system performance. Section 6 
reports the current status of ProbVerus and concludes with a discussion of the feasibil- 
ity of the approach in realistic applications. 

2 Probabilistic Computation Tree Logic 

We use Probabilistic real time Computation Tree Logic (PCTL) introduced in [11]. 
PCTL augments Clarke, Emerson, and Sistla's CTL [7] with time and probability. The 
temporal operators (F, G, U) are extended with time bounds and probabilities (F “ ' , 
G “ ^ , U The expressive power of the resulting logic is illustrated by the folldw- 
mg examples: 

• reqXJ ~ ‘ ack: there is at least a probability p that there is an acknowledg- 

ap 

ment to the request within t units and req will be true until ack becomes 

true. 
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• G ^ ^ Sysfail: there is no system failure Sysfail for t time units with a proha- 
bility of at least p. 

• F “ ^ alarm: there is a probability of at least p that an alarm will be gener- 

al 

ated within t time units. 

PCTL formulas are interpreted over finite state discrete-time Markov chains. This 
model has been used in the analysis of complex probabilistic systems, such as depend- 
ability analysis of fault-tolerant real-time control systems and performance analysis of 
commercial computer systems and networks. The Markov model has been the standard 
model used for probabilistic model checking (Hart and Sharir [13], Lehman and 
Shelah [16], Vardi [17], Hansson and Jonsson [11], Alur, Courcoubetis, and Dill [1], 
Courcoubetis and Yannakakis [9], Aziz el al [2]). 

Markov models are constructed from states and state transitions; a state describes 
the system at one time instant; a state transition describes the change in state at one 
tick. In discrete-time models, all state transitions occur at fixed intervals and are 
assigned probabilities. The basic underlying assumption is that the probability of a 
next state transition depends only on the current state. For reliability analyses, the 
Markov model fits with the standard assumption of constant failure rates, exponen- 
tially distributed interarrival times for failures, and Poisson arrivals of failures. Reli- 
ability models usually assume that repair of a failed system restores it so that the 
failure rate of the repaired system is the same as if no failure had occurred. This 
assumption is valid during the useful life cycle of a component, but not accurate for 
components that improve with time (burn-in period) or components subject to wear 
and aging (wear-out period). This assumption is made nevertheless to allow for ana- 
lytic solutions. 

Model of Computation. PCTL formulas are interpreted over labelled discrete time 
Markov chains. Formally, a labelled Markov chain is a tuple {S, s', T, L), where 

• 5 is a finite set of states, 

• s' is an initial state, 

• T is the transition relation T = 5x5'^[0, 1] such that for all in 5 we have 

X T{s, s’) = \ , 

s' €. S AP 

• L is a labeling function assigning atomic propositions to states, L: S ^2 

A path 71 from a state So is an infinite sequence ti = ■Si •y 2 --- ‘Jn--- of states with Sg as 
the first state and nonzero transition probabilities P(^i_i, ^i) > 0, (=1, 2,.... The first state 
is denoted by/(>5f(7i), the k-tlth state of path ti is denoted by n(k). A prefix of ti of 
length k is defined by So ^ s, ^ ... ^ s^. We define the probability measure Prob on 
the probability space (Path^{s), 2(j)) , where Path^fs) is the set of infinite paths n 
with first(K)=s, and Z(s) is the smallest o-algebra on Path^fs) that contains the paths 
( Jt G Path^^(s) : X is a prefix of ti] where x ranges over all finite execution sequences 
starting in s. The probability measure Prob on Path^fs) is the unique measure with 
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Prob{ n e Path^{s) : x is a prefix of 7t}= 

P(X)= P{sQSy...s^) = T{st^,s^)T{s^,S2)...T{Sk_^,s^) 

Syntax and Semantics of PCTL. PCTL formulas are state formulas, i.e they repre- 
sent properties of states. Given a probabilistic process P described by a labelled 
Markov chain M =(S, s’, T, L), PCTL formulas are defined inductively as follows: 

• Each atomic proposition is a state formula. 

• If/i and/2 are state formulas, then so are -nf-^ and (/; a/j ). 

• If/i and/2 are state formulas and t is a nonnegative integer, then/iU“y2 (strong 
until) and/,U“^ /2 (weak until) are path formulas. 

• If / is a path formula and p is a real number with 0 < /? < 1 , then [/I and [/I 
are state formulas. 

For a given state s, formulas [/I and [/] >^ express that the probability of paths 
starting in s fulfilling the path formula /is at least p and greater than p, respectively. 
We discuss only the bounded operators. 

The operator U is the strong until operator and U is the weak until operator. Intu- 
itively, \f\\i~^f2\ >1, means that with a probability of at least p both/2 will become 
true within t units and / will hold until /2 becomes true. |/iU“ /2] means that 
there is at least a probability p that either / will remain true for t time units, or that 
both/2 will become true within t time units and that/j will hold until / becomes true. 

The truth of PCTL formulas for a labelled Markov chain M =(S, s’, T, L) is defined 
by the satisfaction relation s |=^/ which intuitively means that the state formula is true 
at state s in M. To define the satisfaction relation for states we also use the relation 
o^/ which intuitively means that the path o satisfies a path formula /in M. The rela- 
tions are defined inductively as follows: 

s |=^a if and only if the atomic proposition a e L{s) 

s |=M -/if and only if not s |=Mf 

s \=M fi A/2 if and only if s |=m /i and j \=^ / 

s \=M fi ^fi if and only if s |=m /i or s 1=^ / 

s \=M fi if and only if s |=m ^/i or j 1=^ / 

o ^M/,U~y2 if and only if there exists i < t such that o(i) |=m/ 2 and \/j :0 <j < i : 
<^0') 1 = m/i 

o ^m/iU-'‘/ 2 if and only if a or VJ : 0 <j<t: a(J) \= ^/i 
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s 1= ^ \fi\i~^f 2 \>p if and only if the probability measure of the set of paths c 
from s for which o [fi U ~ */ 2 ] is at least p. 

■5 t=M [fiU“^ A] >p if and only if the probability measure of the set of paths cr 
from s for which c |/i U~ * / 2 ] is at least p. 

s 1= ^ \fi\i~^f 2 \>p if and only if the probability measure of the set of paths ct 
from s for which a [fi U “ ] is greater than p. 

■5 t=M [fiU“^ A] >;, if and only if the probability measure of the set of paths a 
from s for which c l/i U“ * / 2 ] is greater than p. 



By definition, 



M 1= ® if and only if s' |=® 

i.e., process P satisfies a PCTL formula ® if and only if its initial state s' satisfies <1>. 
We use the shorthand notation: 

/lU 

/lU ;'/2for[f,U^'/2]>^ 

Formulas /jU “ ‘/2 and/j U “ ‘/2 have analogous meanings. 

Model Checking in PCTL . Next we describe the model checking algorithm, which 
labels the states of a labelled Markov chain M =(S, s', T, L) with the PCTL formula 
/lU “ ‘ A. We introduce the function p(s, t) for s g 5 and t a non-negative integer, 
defined as the measure of the set of paths n starting in s which satisfy/; U “ f 2 '. 

p{s, t) = Prob{ K G Path^{s ) : o is a prefix of k and a U ~ '/ 2 } 

The probability function p(s, t) satisfies the following recurrence equation. For t > 1 : 



p(s, t) = ifs 1= m /2 then 1 

else if s i then 0 

else ^ T{s, s')Xp{s',t-\) 
s' e S 

For t = 0, p(s, f) = if s 1= m /2 then 1 else 0. 



The proof of the above recurrence equation can be found in [11]. 
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This recurrence equation leads to the following algorithm, which computes p{s,t) and 
labels states with/jU /2 if p{s, t) is greater or equal to the given probability p. 

1 . Build the transition probability matrix P 



P[Sh S[] ■■ 



T[Sk, s/] if Sk h /i /2 

1 if ^ = Zand si,\= /2 /i and /2) 



0 otherwise 

2. Create a vector v indexed by the states such that the Z-th element of v is set 
to 1 if Sj \= f 2 and 0 otherwise. 

3. Compute P*, the t-th power of the transition probability matrix. 

4. Multiply matrix P‘ by the vector v: p(s, t) = P‘ v 

5. ^ ^/i U JV2ifp(.,0>p. 

6. M 1= /i U f 2 if and only if the initial state s‘ |= U f 2 - 

3 Multi-terminal Binary Decision Diagrams 



BDDs are a canonical representation of boolean functions /:{ 0, 1}"^{0, 1} pro- 
posed by Bryant [3]. They are often more compact than traditional normal forms, such 
as conjunctive normal form and disjunctive normal form, and can be manipulated effi- 
ciently. For these reasons, BDDs have found wide use in CAD applications, including 
symbolic simulation, verification of combinational logic, and verification of sequential 
circuits. In 1993 Clarke et. al [8] showed that BDDs can be generalized to represent 
functions /:{0, 1 } —> D where D is any set of values. Such diagrams are called multi 
terminal binary decision diagrams (MTBDDs). MTBDDs can be used to represent D- 
valued matrices efficiently. 

MTBDD Representation of Labelled Markov Chains. Let M = {S, s\ T, L) be a 

labelled Markov chain. We fix an ordering of atomic propositions and identify each 
state with the boolean «-tuple e(s) of atomic propositions that are true in that state. The 
transition probabilities are arguments of the function F:{0,1 }^"^[0,1], F(xj, y^,..., x„, 
yn) = P((xj,..., x„)(yj,..., y„)) which allows us to represent the transition probability 
matrix by an MTBDD over (xj,yj,..., x„, y„). 

The following example illustrates the MTBDD representation of the transition 
probability matrix: consider a single machine which may be in one of the following 
states: setup, processing, down. Figure 1 shows the state transition diagram, which 
captures the transitions between the possible states. After the setup operation, the 
machine starts processing, it makes a transition to the processing state with probability 
1. In the processing state, there are two possibilities, the machine finishes processing 
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Figure 1. State Transition Graph and corresponding Transition Probability Matrix 

and goes to the setup state, or the machine fails. We label the transition setup pro- 
cessing with p and the transition processing down with/, such that p+/=l. After the 
machine is repaired, it returns to the setup state with probability 1 . 

For simplicity, we use two atomic propositions, ai and 02 , to label the states: 
L(setup) = 0, Liprocessing) = {aj}, Lidown) = { 02 }. We fix the order of a\ and 02 and 
encode the states as follows, e{setup) = 00, e(processing) = 01, e(down) = 10. Figures 2 
and 3 show the function F, and the corresponding MTBDD respectively. 



¥(xi,yx,X2,y2)= \ 



lifxiyiX2T2 £{0001,1000,1111} 



pifxiyiX2T2 =0010 

/ifxiyiX2T2 =0110 
0 otherwise 



Figure 2. Function F{x■^,y^,X 2 ,y 2 ) 



4 ProbVerus 

ProbVerus is an implementation of PCTL model checking using symbolic techniques. 
It is an extension of Veras [6], a verification tool which combines powerful symbolic 
model checking techniques and efficient quantitative algorithms for computing mini- 
mum and maximum time delays between two events. Veras has been already used to 
verify several real-time systems: an aircraft controller, the PCI local bus, and a robotics 
controller [4, 5]. By extending Veras with PCTL model checking and MTBDDs we 
have created a single verification environment in which we have access to correctness 
checking, performance analysis, and reliability analysis of a single model of the sys- 
tem. 

ProbVerus features a language which is designed especially to simplify writing 
probabilistic real-time programs. It is based on the core Veras language, an imperative 
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Xi 




Figure 3. MTBDD representation of the Transition Probability Matrix 

language with a syntax similar to C, that is enriched by special constructs that allow 
the straightforward expression of timing and stochastic behavior. Designers can use 
ProbVerus to verify models that are very close to the actual implementation expressing 
time and probabilities in a natural and accurate way. 

Syntax of the ProbVerus Language. The ProbVerus language includes primary 
expressions, boolean expressions, assignments, sequential execution, conditionals, 
probabilistic choice, and loops: 



stmt ::= wait(l) I v = expr I stmtj; stmt 2 I 

while COMii stmt I if COMii Stmt j else Stmt2 

pseiect(/7i : stmti; ...p„ : stmt„ ) 

where p^...p^e [0, 1 ] with p^ + ...+p^ = 1 . 



where 

• Var is a set of boolean variables 

• V e Var 

• expr are Verus expressions 

• expr::= true I false I V I expr^ || expr2 I expri && expr2 I lexpr 

• cond is a boolean expression 
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ProbVerus only has boolean variables. The compiler introduces an auxiliary vari- 
able, the wait counter wc, which indicates the wait statement reached by the program 
in the current state. The integer wc is encoded as the respective sequence of booleans 
to suit the format. The length of the bitstring needed to represent the wait counter is 
fixed and the values of wc in a specific program are determined at compile time of that 
program. 

Semantics of ProbVerus Programs. ProbVerus programs describe Markov chains, 
the behavior of which is specified by the initial state and the transition probability 
matrix. 

A state in the model corresponds to an assignment of values to the state variables 
V[, V 2 , •••, and is represented by the vector (vj, ..., v„) . There are two copies of the 
state variables: one for the current state (v e V ) and one for the next state (v' e V' ). A 
transition is a relation between states. For two states s = (vj, ...,v„) 
s' = (v'[, ..., v'„) , the transition relation N(s, s') evaluates to true when there is a 
transition in the model from state s to state s' . There is a transition between two states 
s and s' when the code between two successive wait statements changes state s to 
state s' . An important feature of the tool is the use of the wait statement to synchro- 
nize concurrent processes, control time (time elapses by one unit at each wait), and 
update the values of the global program states. By executing a block of code between 
two consecutive wait statements atomically, thus collapsing contiguous statements to 
one transition, leads to models with fewer states, which allows the verification of much 
larger systems. The transition relation of the program is obtained by taking the dis- 
junction of all relations between wait statements. A path in the transition graph is 
defined as a sequence of states Sj, S 2 , ... such that N(si , [ ) is true for every 

/ > 0 . All computations are performed on states reachable from the initial state set. 

Our stochastic model does not consider nondeterminism; we define one initial state 
by assigning fixed values to all the state variables before the first wait statement. 
Vents restricts the set of accepted programs to those for which a wait statement is tra- 
versed at each loop iteration. The last statement of every accepted program ends with 
the statement 

while (true) wait(l); 

which guarantees that the final state is observed. 

The semantics of ProbVerus programs is computed statement by statement using the 
following function R: 



R: stmt xMxMxN^MxMxNxB 



where M is the set of matrices m: STx ST [0,1], ST is the state space, N is the 

set of naturals, B is the set of booleans. 
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R has the following arguments: 

• statement stmt, 

• matrix r:5Tx 5T ^ [0, 1 ] containing the probabilities of the transitions 
in the program since the last wait statement, and 

• transition probability matrix m:5rx ^ [0, 1] accumulated between 
the previously executed wait statements 

• w G N represents the number of syntactic occurrences of the wait state- 
ment encountered so far 

Given the matrix r, the matrix m, and the counter w, which describe the program until 
the execution of statement stmt, function /?[[ stmtj ( r, m, w) produces the matrix r', 
the matrix m', the counter w', which describe the program after executing stmt, and 
determines the value of g B , which is true if a wait statement is traversed in each 
control path through stmt. 

[15] defines /?[[ stmtj ( r, m, w) for the individual statements and includes a proof that 
the global transition probability matrix of a ProbVerus program is a stochastic matrix, 
i.e. the entries of the matrix are real numbers in the [0, 1.0] range and the sum of the 
elements of each row is equal to 1 . 

Implementation of PCTL Model Checking. We have implemented the strong until 
operator (algorithm on page 101), and the F , and G operators and from the 
dual formulas [11]: 



F f= true V f 

>p >p 



G 



/=^F 

>p-’ >{\-p) 



(-/) 



All probability calculations are performed with MTBDDs and make use of the fol- 
lowing operators: 



APPLY Operator. The APPLY operator allows elementwise application of the binary 
operator op to two MTBDDs. If Qj and Q 2 are two MTBDDs, and op is an operation 
on the real numbers, then APPLY(Qj, Q 2 , op) yields an MTBDD which represents the 
function /(2y) op f{Q 2 ), where /(Qy) is the formula associated with Qj, and/(02) the 
formula associated with Q 2 - 

Matrix and Vector Operators'. The standard operations on matrices and vectors have 
corresponding operations on the MTBDDs that represent them, such as multiplication 
of a matrix by a vector or multiplication of two matrices. These operations benefit 
from the recursive structure of the MTBDD-representation of the respective matrices. 
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5 A Manufacturing Example 

In this section we illustrate the use of ProbVerus with a simple example. We model the 
stochastic behavior and check stochastic properties of a small automated manufactur- 
ing system comprised of two numerically controlled machines Ml and M2 that are 
identical in all respects. Each machine is modeled as a Discrete Time Markov Chain 
(DTMC) that has three states: (0) the machine is being setup, (1) the machine is pro- 
cessing, and (2) the machine is undergoing repair following a breakdown. Figure 4 
shows the state transition diagram, which captures the transitions among these three 
states. Each arc is labeled with the corresponding one-step transition probability; each 
transition corresponds to advancing the discrete time one time unit. 



PlO Pl\ 

Setup Poi Processing p)own 

Figure 4. DTMC model of fail-prone machine under resume policy 

After the setup operation the machine starts processing, hence after state 0 the next 
state is with certainty state 1 (Poi^l)- current state is state 1, the next state is state 
0 or state 2 with probabilities 

PiQ = Prob{ processing finishes before failure} 

Pi 2 = Prob{failure occurs before finishing of processing) 

After undergoing repair the machine resumes the processing operation, hence if the 
current state is state 2, then the next state is always state 1 (/? 2 i=l). 

We can describe the behavior of the above machine in ProbVerus as follows. 

Figure 6 displays the DTMC model of the AMS comprised of the two machines Ml 
and M2. In state sO the two machines are being setup. In state si one of the two 
machines is processing and in state s2 both machines are processing. While a machine 
is processing, there are two possibilities: either the machine finishes and returns to the 
setup state or the machine fails. In s3 one of the machines fails which then moves for 
repair in state s4. The system is down when both machines are under repair (state s5). 



Using ProbVerus, we have modeled the AMS of Figure 6 and checked the PCTF for- 
mula F “ ‘ AMS is down, which States that AMS will fail, i.e. that it will reach a state 

- P 

labeled with AMS is down (machine Ml is down and machine M2 is down), within t 
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Machine = Setup; 
wait (1.0) ; 

while {Machine != Down) { 

if ( Machine == Setup) { 

Machine = Processing; 
wait (1.0) ; 

} 

else if { Machine == Processing) { 

pselect {plO: Machine = Setup; pl2 : Machine = Down; } ; 
wait (1.0) ; 



Machine = Processing; 
while (true) {wait (1.0);} 

Figure 5. ProbVerus model of a fail-prone machine 




Figure 6. State Transition Graph of a Two-Machine Manufacturing System 

units after the setup of the system with non-zero probability p. We have used the fol- 
lowing one-step transition probabilities: 

^10=0.1663, (?j2=0.8316, ^[3=0.0021, 

^21=0.987654, ^24=0.0123456, 



^31=0.04762, (jr34=0.95238. 



^42=0.19802, ^43=0.79208, ^45=0.0099, 
9 ' 54 = 1 > 
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to compute the probabilities of reaching the state where both machines are down for 
the first 5 time units of operation of the AMS, as seen in Table 1. For example, after 4 
time units all states are labeled with the F ams is down since P(Sj,4) 

> 0,00012 ~ ' I’ ' 

> 0,000121 for all the states s,. Such properties are expressible in PCTL since PCTL 
formulas are interpreted over DTMCs, where each transition of the Markov chain cor- 
responds to one time unit. 



Table 1. Successive values of £> of F ^^ams is down 

>P - - 



state/ 

time 


0 


1 


2 


3 


4 


5 


■So 


0 


0.000000 


0.000000 


0.000000 


0.000121 


0.000121 




0 


0.000000 


0.000000 


0.000000 


0.000121 


0.000333 


■S2 


0 


0.000000 


0.000122 


0.000122 


0.000334 


0.000335 




0 


0.000000 


0.009430 


0.009430 


0.016570 


0.016570 




0 


0.009901 


0.009900 


0.017394 


0.017394 


0.023100 


•S5 


1 


1 


1 


1 


1 


1 



6 Current Status 

We have been testing the modeling range of ProbVerus with success in a series of 
application domains: manufacturing, transportation, and fault-tolerant industrial pro- 
cess control systems. The example, that we have described, demonstrates that Prob- 
Verus provides the language to describe the stochastic behavior of manufacturing 
systems in a straightforward manner. PCTL allows the expression of the stochastic 
properties, which is critical information when designing automated manufacturing sys- 
tems and analyzing their performance, availability, and reliability. Moreover, probabi- 
listic model checking allows us to combine the performance (quantitative timing 
analysis) and reliability (quantitative probability analysis) early in the design phase of 
manufacturing systems. This is significant because real-world automated manufactur- 
ing systems must meet competitive levels of productivity and pay-back ratio where 
high costs are involved. 

An important question is how our techniques scale up to large systems. Our largest 
case study is based on ACC (“Apparato Centrale a Calcolatore”) [14], a complex 
industrial safety-critical system developed by Ansaldo Transport! for the control of 
medium and large-size railway stations. A set of qualitative (e.g. safety, liveness) and 
quantitative (e.g. response times and probabilities) properties have been automatically 
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analyzed. Despite the complexity of the system (the model has about 10^^ states) spec- 
ifications were checked in 329 seconds using a Sparc 10 with dual processors and 
256Mb of memory. During the verification of the ACC design, we discovered a subtle 
and anomalous behavior leading to a deadlock of the system. The anomalous behavior 
was pinpointed by an automatically generated counterexample trace, showing pre- 
cisely the behavior leading to the violating state. The same behavior blocked the entire 
operation during a field test of an earlier version of the system. When we modeled pos- 
sible failures in the communication between the controller and the physical devices, 
i.e. when the control variables of the safety logic are not in agreement with the values 
of the corresponding physical level crossing variables, then safety specifications were 
violated. Therefore, a failure in the sensing operation may lead to a clear_signal 
although the gate may be still moving, or the actual level crossing is not closed. We 
have computed the probability of reaching unsafe states within seconds. Our numerical 
analysis has been performed assuming a serial link between the controller and the 
physical devices for which reliability information is published. Vital railway control- 
lers, such as the ACC system, implement appropriate error recovery mechanisms for 
the occurrence of vital/non- vital communication failures, which have not been mod- 
eled. Our probabilistic analysis has intended to illustrate the valuable information 
probabilistic model checking can provide to the engineers who design and validate 
safety-critical systems. 

7 Conclusions and Future Work 

This paper presents a new tool for the formal verification of stochastic systems. We 
have implemented PCTL model checking using multi terminal binary decision dia- 
grams (MTBDDs) within the Verus verification tool. The PCTL logic allows the 
expression of time and probabilities which are needed for the verification of stochastic 
systems, such as fault-tolerant real-time control systems, networks, and manufacturing 
systems. BDDs and MTBDDs provide a compact representation of the model by repre- 
senting sets of states rather than individual states. Moreover, symbolic techniques are 
amenable to efficient verification algorithms. By extending Verus, we have created an 
environment which allows the verification and quantitative analysis of a single model 
using CTL, RTCTL, and PCTL model checking. While model checking can tell us 
whether a system is correct, probabilistic model checking can also tell us whether the 
system is timely and reliable. Moreover, an advantage of probabilistic model checkers 
over non-probabilistic model checkers is that it allows one to verify properties that 
may not be true with probability equal to one, but may still hold with some acceptable 
probability. ProbVerus allows the safety analysis and verification to take place concur- 
rently with the system design so that design errors are detected and corrected prior to 
the traditional test phase. The use of symbolic techniques (BDDs and MTBDDs) in 
contrast to an explicit- state implementation of PCTL model checking makes it possible 
to analyze larger systems making probabilistic symbolic model checking a feasible 
approach worth further development. 
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Abstract. Published results show that various models may be obtained 
by combining parallel composition with probability and with or without 
non-determinism. In this paper we treat this problem in the setting of 
process algebra in the form of ACP. First, probabilities are introduced 
by an operator for the internal probabilistic choice. In this way we ob- 
tain the Basic Process Algebra with probabilistic choice prBPA. After- 
wards, prBPA is extended with parallel composition to ACPt ■ We give 
the axiom system for ACP^ and a complete operational semantics that 
preserves the interleaving model for the dynamic concurrent processes. 
Considering the PAR protocol, a communication protocol that can be 
used in the case of unreliable channels, we investigate the applicabil- 
ity of ACPt ■ Using in addition only the priority operator and the pre- 
abstraction operator we obtain a recursive specification of the behaviour 
of the protocol that can be viewed as a Markov chain. 



1 Introduction 

Due to the increasing complexity and the number of components of real-life 
parallel systems, the probability that a system or some of its components will be 
subject to failure during the work is increased, as well. This means that very often 
it is desirable or even necessary to “predict” chances of failure occurring in the 
system. Therefore, it is insufficient to assume that the system is reliable and to 
specify it under this assumption, but there is a need to describe the probabilistic 
behaviour of the components and the system as a whole. For the last ten years 
various traditional specification formalisms have been extended with a notion of 
probabilistic behaviour for different models of probabilistic processes. 

Besides this new, probabilistic approach in modelling concurrent systems, 
non-determinism still has an essential role specially due to interleaving of ac- 
tivities of independent components of a system. In treating non-determinism 
mainly two different approaches have been followed, one approach which allows 
both non-deterministic and probabilistic choices (e.g. concurrent Markov chains 
m, the alternating model ca), and one where only probabilistic choice is al- 
lowed 1 11411011 iinahuh . 

* Research is supported by PROMACS project, SION 612-10-000 of the Netherlands 
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J.-P. Katoen (Ed.): ARTS’99, LNCS 1601, pp. 1 1 l- fTTm 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 



112 Suzana Andova 



The objective of this paper is to introduce a probabilistic version of ACP 
(PQ) where non-determinism and probability are combined. 

Following the idea of A CP-like process algebra for interleaving parallel com- 
position, we first investigated a probabilistic version of ACP, prACP, where the 
axiom x\\y = x'^y + y'^x + x\y holds for arbitrary processes x and y. This 
axiom leads to a situation where processes that depend on each other in their 
probabilistic behaviour are involved in merging atomic actions of x with those 

01 y. In Section 0we give an example of merge of parallel processes and point 
out an unwanted outcome that occurs. So we rejected this approach, as it is not 
suitable for specification of some concurrent systems such as for example PAR 
protocol. 

Thus, we propose in this paper a new variant of the extension of prBPA 
by parallel composition. We still keep the idea of the interleaving model but 
this time only for dynamic processes (processes that do only trivial probabilistic 
transition with probability 1). This novel process algebra has a more complex 
axiom system than prACP in P]. But an advantage here is a simple and in- 
tuitively clear operational semantics. We use an extra quaternary operator ][ , 
called merge with memory, which helps in axiomatising the merge of dynamic 
processes. This operator is not necessary in the sense that an equivalent algebra, 
called ACPtt, can be obtained by adding new axioms without any extra opera- 
tors. These two process algebras, ACPt^ and the presented ACP^ are equivalent 
but only for processes that do not contain the [j_, | and ][ operators. This version 
of combining probabilities and parallel composition in the framework of inter- 
leaving approach is proposed in 0 where the authors use bundle probabilistic 
transition systems. 

The operational semantics of A CF^ is based on the alternating model of 
and it is defined by a term deduction system of which the signature contains an 
extended set of constants (each atomic action has a dynamic counterpart) and of 
which the deduction rules include two transition types: probabilistic and action 
transition. The probability associated to a probabilistic transition is determined 
by the value of a probability distribution function. In the construction of the 
term models we use probabilistic bisimulation as proposed by Larsen and Skou 
m) and we show soundness and completeness of the term model with respect 
to proposed axiom systems. 

Dealing with the PAR protocol (HS|) a communication protocol used in cases 
of unreliable channels, we investigate the applicability of ACF^ . We give a spec- 
ification in ACB^ of the constituent processes of the protocol and of the whole 
system. In order to do performance analysis, non-determinism has to be resolved. 
Using in addition only the priority operator and the pre-abstraction operator |2| 
we obtain a recursive specification of the behaviour of the protocol that can be 
viewed as a Markov chain. 

2 Basic Process Algebra 

We give a brief introduction of Basic Process Algebra with probabilistic choice 
and a complete operational semantics. 
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The signature of Basic Process Algebra with probabilistic choice, prBPA, con- 
sists of a (finite) set of constants A = {a, b,c, . . .}, a special constant S ^ A (we 
usually denote As = A\J {J}) and the binary operators: -I- (non-deterministic 
choice), • (sequential composition) and -ti^ (probabilistic choice) for each tt G 
(0, 1). The probabilistic choice operator is modeled after the partial choice op- 
erator of Intuitively, process aj-tb-y behaves like x with probability tt and 
behaves like y with probability 1 — tt. The choice is already made, and cannot be 
influenced by the environment. We can observe the outcome, and the probabil- 
ity distribution of the possible outcomes. The axioms for -|- and • are standard 
axioms for BPAs ( 0 ) (Tabled a G A), except that axiom A3 {x + x = x) is re- 
stricted to atomic actions. A3 is restricted, because it does not hold anymore for 
processes that contain the new choice operator. In our intuition about combining 
non-determinism and probabilistic choice, the “top” operator is the probabilistic 
choice, that is we consider that the probabilistic choice is made first and later 
non-deterministic choice. In such a way in the process (atb6) -I- (atb6) non- 
deterministic choice between actions a and b is possible with a certain probability 
which is not a case in the process otb-6. The axioms for the new operators are 
shown in TableEl(7r G (0,1)). 



X + y = y + X A1 

{x + y) + z = X + {y + z) A2 

a + a = a AA3 

(x + y) ■ z = X ■ z + y ■ z A4 

(x ■ y) ■ z = X ■ (y ■ z) A5 

X + (5 = X A6 

S ■ X = S A7 



Table 1. BPAs with restricted A3. 



xtisry = y-Oi—n-x PrACl 

x±±,r(y±i-pz] = {x±± ^ — y)±±,r+p-npZ PrAC2 

TT + p — 7rp 

xttkx = X PrACS 

{x±4svy) ■ z =x-z±isvy-z PrACA 

{x±±^y) + z = {x + z) -U st {y + z) PrAC5 



Table 2. Additional axioms for prBPA. 



We introduce abbreviations in order to deal with probabilistic sums of several 
arguments: 

x-tt^y±A-pZ = x±±k{y-^.^z) {n + p<l) 

X ±±Try ±±p z ±±a-w = X ±±^ (y p z ~t±^ w) {tt + p + a < 1), etc. 
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Example 1. By this example we show the interpretation of non-determinism 
when it is combined with probabilistic choice. In Figure Q the transition sys- 
tems for the processes are shown. 



(ath 6) -I- (cth d) = (a -I- c) th (a -I- d) i=h (6 -I- c) th {b + d). 

2 3 6 3 6 




Fig. 1. An example of non-deterministic choice between probabilistic processes 



In |S|, the authors propose a method for verification which is based on a 
partial ordering of processes. They introduce the realization axiom x < x-thj, 
which says that x has less static non-determinism than x±±y. By the following 
proposition we show that this approach cannot be followed in the framework 
of prBPA because such a partial ordering of processes cannot be defined when 
probabilisties are involved. 

Proposition 1. If prBPA \- p = gth-p for some probability tt G (0,1), then 
prBPA \- p ^ q, where p ~ q denotes the probability of p he equal to q has a limit 
ofl. □ 

We define basic terms as representatives of classes of closed terms. TheoremEl 
the Elimination theorem, shows that each closed term can be reduced to a basic 
term. We distinguish two types of basic terms: terms that are constants or that 
have a non-deterministic choice or a sequential composition as the outermost 
operator (we denote a set of these terms by B+) and the basic terms of the 
second type are such that have a probabilistic choice as the outermost operator. 
The precise definition of basic prBPA terms is given in ^ . 

Remark. If we consider terms that only differ in the order of the summands to 
be identical (i.e. we work modulo axioms Al, A2, PrACl and PrAC2) we have 
that the basic terms are exactly the terms of the form 

X = Xi or (1) 

X = Xi^Tr^X2-^TT2X3 ■ ■ ■Xn-l'^TT^-iXu SXid n>l (2) 

where for each i^l < i < n, Xi = ^ -I- ^ bik for certain atomic actions 

j<li k<.rrii 

Qij and bik, basic terms Uj and n,mi,li G IN. We have the convention that: 
E Sj = 5. 

j<0 
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Theorem 2 (Elimination theorem) Let p be a closed prBPA term. Then there 
is a basic prBPA term q such that prBPA \- p = q. □ 

Further, by SV (the set of static processes) we will denote the set of all closed 
terms over the signature of prBPA, SprSPA- By D we denote a set of closed 
prBPA terms of which an associated basic term, which exists by the Elimination 
theorem, is a term from 

2.1 Structured Operational Semantics of prBPA 

The operational semantics consists of two types of transition rules, probabilistic 
transitions and action transitions and it is based on the alternating model as 
it is proposed in H2|. Each process in our model may make either probabilistic 
transitions or atomic transitions, but not both. Action transitions are labelled 
with atomic actions: Although in the presentation of processes as proba- 

bilistic transition systems we will use labelled probabilistic transitions as 
in the formal description of the operational semantics probabilistic transitions 
are unlabelled: If process p may do a probabilistic transition to process x, 

there is a non-zero probability with which process p may behave as process x. 
The probability that this transition may happen is determined by a probability 
distribution function p{p,x). 

In order to distinguish processes that may do a probabilistic transition and 
processes that may do an action transition we consider a term deduction system 
with a signature different from the signature of prBPA by the addition of new 
constants. If A is the set of atomic actions of prBPA then we define the set of 
dynamic atomic actions As = {a | a G As}. By a symbol a, (a yf i5) we denote 
a process that can successfully terminate by executing a. Further we will write 
^ prBPA fol" ( As U As , -f, *, "tfy. ) . 

Definition 3 We define the set of dynamic processes T>P (processes that may 
do an action transition) in the following way: 

1. As C VP; 

2. s£ VP, tGSP ^ s-tG VP; 

3. t,s GVP ^ t + s G VP. 

By PP we denote the set of all static and dynamic processes, that is PP — 
SP U VP. Moreover, there is a bijection from D to VP. 

The operational semantics of prBPA is given by the term deduction system 
T = {E prBPA, D) induced by the deduction rules shown in Table El where a is a 
variable that ranges over the set A, and the probability distribution function as 
it is defined in Definition El 
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x,q^ y 

p q ^ X y 

w a , 

a ^ 



6 ^ S 

p^ X 



p^ X 



pt^q ^ X, qttkp ^ X 



a f 

X ■ y ^ X • y 



p • q ^ X ■ q 



X y/ 
x-y y 



X ^ 



a / a / a f a / 

x + y^x,y + x^x x + y ^ y/,y + x ^ y/ 



Table 3. Deduction rules of prBPA. 



Definition 4 (Probability distribution function) We define a probability distri- 
bution function p, : VTZ x VTZ — > [0, 1] as follows: for each x G VTZ 

p{a,a) =1, 

p{S,S) =1, 

p{p-q,x'-q) = p{p,x'), 

p{p -Gq,x' -G x”) = p{p, x')p{q, x”), 

p{p-a-^q, x) = Trp{p, x) + (1 - Tr)p{q, x), 

p{p, x) =0 otherwise. 



Because in the construction of the term model we use the Larsen-Skou prob- 
abilistic bisimulation relation (Definition Q we need to extend the probability 
distribution function to the power set of VTZ. 

Definition 5 We define the map p* : PR x 2^^ — > [0, 1] as: for each M C VTZ 

p*{p,M) = ^ p{p,x). 

£CGM 



Proposition 6. The map p* is well defined. □ 

From now on we will denote p*(p, M) simply by p{p, M). 

Definition 7 Let R be an equivalence relation on the set of processes VTZ. R is 
a probabilistic bisimulation if the following four clauses are satisfied: 

1. If pRq and p s, then there is a term t such that q t and sRt; 

2. If sRt and s —>■ p for some a G A, then there is a term q such that t ^ q 
and pRq; 



Process Algebra with Probabilistic Choice 



117 



3. If sRt and s then t y/; 

4- IfpRq, then p{p,M) = p{q,M) for each M G VTZ/R. 

We say that p is probabilistically bisimilar to q, denote p ±± q, if there is a 
probabilistic bisimulation R such that pRq. 

Below we give some obtained technical results. The detailed proofs of these 
propositions are given in 

Proposition 8. If p is a SV term and p'^ x, then x G T>V . □ 

Proposition 9. Ifx is a W term and x y for some a G A, then y G SV. □ 



Remark. From Proposition El and 0 it follows easily that we may consider: 

1. '-+C SV X W, 

2. Ac VV X SV, 

3. A y/ C VV, 

4. for every probabilistic bisimulation R we have R C SV x SV U VV x VV. 



Theorem 10 ±± is a congruence relation on prBPA. 



□ 



Theorem 11 (Soundness) Letp and q be closed prBPA terms. If prBPA \- p = 
q then p ±±q. □ 



Proposition 12. Let p be a closed prBPA term and a G A and let op{p) be the 
number of operators of p. Then: 

i. if p X then prBPA \- p = x and p{p, x) = 1 and op{x) < op{p) or 
prBPA \- p = q for some q G SV and p{p, x) < 1; 

ii. if p -^ \/ then prBPA \- p = a + p; 

Hi. if p q then prBPA \- p = a ■ q + p. □ 



Lemma 13 If p,q and r are closed prBPA terms and tt G (0,1) such that 
ptbr? thenq±±r. □ 



Theorem 14 (Completeness) Letp and q be closed prBPA terms. Ifp±±q then 
prBPA \- p = q. □ 



118 Suzana Andova 



3 Extension with Merge and Commnnication 



Published results concerning design of probabilistic concurrent systems show 
various possibilities for combining parallel composition with probability with or 
without non-determinism. Different approaches lead to various formalisms and 
theories that treat this problem as well as various semantics. Following the idea 
of A CP-like process algebra for interleaving parallel composition, we studied 
a probabilistic version of ACP, prACP in where the choice of the process 
which executes the next action is considered to be non-deterministic choice, and 
where according to this, the axiom x \\ y = x^y + y^x + x \ y holds for arbitrary 
processes x and y. In this way we obtain a theory with very simple set of axioms 
(if we do not consider the axioms for the new operator, these axioms are in 
essence the same as those of ACP), but unfortunately it is not the case with 
the associated complete operational semantics which defines the term model of 
this process algebra where the crucial deduction rule (for parallel composition) is 
P'^ x,q'^ y,P'^ x’,q'^ y' . 

. in |JLJ we give an example oi an application ol tins 

p\\ q x\lq + y^p + x' \ y' 

process algebra for specification and performance analysis of concurrent systems, 
considering the Alternating Bit Protocol. But we realised that this approach to 
parallel composition does not give the anticipate results for some concurrent 
probabilistic processes, as the following example shows. 

Let us consider the processes P = sendi and Q = readi -tb-/aiZ. The process 
P executes the action sendi which may be treated as “send a datum at the 
port 1” and the process Q executes the action readi with probability tt, that 
is with probability tt it reads the datum at the port 1, or executes the action 
fail with probability 1 — tt, that is it fails with probability 1 — tt and no further 
communication with the process P is possible. We remark that this situation is a 
realistic one when an unreliable transmission channel is designed (Section 0). We 
define a communication action commi = sendi \ readi. By intuition we expect 
that the behaviour of the whole system dniP || Q), for H = {sendi, readi}, is 
described by the process commi f ail ■ 5 . But we obtain the following equation: 

prACP h 8 h{P II Q) = commi fail- 6 -Crj^i_T ^)2 {fail - 6 + commi) 

As a consequence of the axiom mentioned above and the interpretation given 
of the non-deterministic choice between probabilistic processes, a possibility 
to combine probabilistically dependent processes fail and commi in a non- 
deterministic choice arises. Moreover, there is a non-zero probability with which 
deadlock may occur. It is obvious that this process does not satisfy our intuition 
about the behaviour of the parallel composition given above. 

In order to overcome this difficulty, we propose in this paper a new variant 
of the extension of prBPA by parallel composition. Again, we want to keep the 
idea of the interleaving model but only for dynamic processes. For instance, let 
us consider the processes X = a-hh.6 and Y = cthd. Since X may execute a 
with probability ^ and Y may execute c with probability the probability of 
merging a and c in the parallel composition AT |j M is exactly the product of the 
separate probabilities, so it is i. After the first action occurrence, for instance 
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if a has been performed, an outcome among the actions c and d has not been 
known yet, so each of these two actions may be performed in accordance with the 
given probabilities. In Figure 0the transition system of X || F is shown, where 
a\c = e, a\d = f,b\c = g and b\d = h. This version of combining probabilities 
and parallel composition with the interleaving reasoning is proposed in P| where 
authors use bundle probabilistic transition systems. 




3.1 Process Algebra 

Below we give a definition (the signature and the axiom system) of the probabilis- 
tic version of ACP, called Algebra of communicating processes with probabilistic 
choice ACP+, where + stands for the extra merge operator added to this alge- 
bra. We remark that this probabilistic version of ACP has a more complex axiom 
system than the algebra proposed in But an advantage here is a simple and 
intuitively clear operational semantics. 

The signature of ACP+ consists of the operators of prBPA, three binary 
operators: |j (merge), [j_ (left merge) and | (communication merge), a unary 
operator Oh (encapsulation) where H C A and a quaternary operator ][ (merge 
with memory) . The axioms of the new operators are given in Table 0 together 
with the conditional axioms given in Table El and El 

The idea behind the merge with memory operator is to delay a merge of two 
concurrent processes (the first and the third arguments) as long as at least one 
of them has a possibility for nontrivial probabilistic choice (the axioms PrM M 2 
and PrM M3). If none of them has a possibility for a nontrivial probabilistic 
choice (the condition x = x + xSzy = y + y), then the processes may be merged. 
The other two auxiliary arguments (the second and fourth) help in the realisation 
of the interleaving model as it was mentioned in the previous example. Actually, 
they contain the two processes which have started parallel composition, because 
in further derivation these processes may get lost. 
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X II y 


= ix,x)][(y,y) 


PrMMl 


{x±±^x',z)][(y,w) 


= (x, z) ][ (y, w) {x', z) ][ (y, w) 


PrMM2 


{x,z)][{y-0-^y',w) 


= {x, z) ][{y,w)-a-^{x, z)][{y' ,w) 


PrMMS 


a\\_x 


= a ■ X 


CM2 


o- ®lLt/ 


11 


CM2, 


[x + y)\^z 


= x^z + y^z 


CMA 


(x-U-ny)^z 


= x^z±±^y^z 


PrCMl 


a\b ■ X 


= {a\b) ■ X 


CM5 


a ■ x\b 


= (a\b) ■ X 


CM6 


a- x\b ■ y 


= {a\b)-{x II y) 


CM! 


{x±±^y) 1 2 


= X z±±ky z 


PrCM6 


x \ {y±±7rz) 


= X y±±kx z 


PrCM7 


Oh (a) 


— a 


lia^H Dl 


dH{a) 


= s 


iia£H D2 


dnix + y) 


= d/f(x) - 1 - dniy) 


D3 


dnix ■ y) 


= dH{x) ■ dniy) 


DA 


dHixti^y) 


= dH{x)±±TTdH{y) 


PrDA 



Table 4. Additional axioms for ACP^. 



X = X + x,y = y + y ^ {x,z)][{y,w) = x^w + y^z + x\y 



Table 5. Merge for Dynamic processes (DyM). 



The axiom system contains three conditional axioms. All they have a condi- 
tion of form: p = p+p. In the terms of equalities (in the theory) ACP^ \- p = p+p 
holds for all terms which have as a basic term a term from B+. This condi- 
tion guarantees that communication (in the case of DyPR) and merge (in the 
case of DyM) will not occur before all possibilities of applying axioms PrCMQ, 
PrCMl and PrMM2, PrMM3, respectively, have been exhausted. Moreover 
in the model, Lemma 123 shows that the property p ±± p + p is fulfilled by all 
processes which cannot do probabilistic transitions to different equivalent classes. 

Elimination of || , [j_, |, dn and ][ operators from closed ACP^ terms is 
guaranteed by the following theorem: 

Theorem 15 (Elimination theorem of ACP(^ ) Let p be a closed ACPf term. 
Then there is a closed prBPA term q such that ACP(^ \- p = q. □ 
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z = z + z => {x + y) \ z = x \ z + y \ z 
z = z + z ^ z\{x + y) = z\x + z\y 



Table 6. Communication merge for Dynamic Processes (DyPR). 



3.2 Structured Operational Semantics of ACP^ 

In ACP^ , as in prBPA, we need to distinguish static from dynamic processes. 
Indeed, we obtain the term model of ACP^ as an extension of the term model of 
prBPA, that is, by extension of the signature and the set of deduction rules of the 
term deduction system and the probability distribution function given in Section 
12. IL We consider the signature: = (Ag U Ag ti^, || , [j_, | , 3 h , ][). 

Analogously, we extend the sets of static and dynamic processes as follows: 

Definition 16 A set of static processes SV(ACP^) in ACP+ is the set of all 
closed terms over the signature of ACFff , EprACP- 

A set of dynamic processes V'P{ACP^) over the signature Sj^Qp+ is defined 
inductively as follows: 

1. Ag C VV{ACP+); 

2. s,te VV{ACP+) ^ s + t,s\t,dH{s) G VV{ACP+); 

3. s G VV{ACPf),t G SV{ACPf) ^s-t,s\ite VV{ACPt). 

The operational semantics is defined by the deduction rules for the new 
operators in ACP^ given in Table 0, where a, b, c range over A and H C A, and 
the probability distribution function (Definition 0 and Defiuitiou 1 1 Yll . 

Definition 17 The probability distribution function 

pL : VTZ{prACP) x VTZ(prACP) [0,1] is defined with the equalities given in 
Definition 0 and the following: 



KpW q,x%q + x”^p + x' \x”) = p.{p,x')p.{q,x"), 

p{p\L^,x\q) = p.{p,x'), 

p.{p\q,x'\x") = p.{p,x')p.{q,x"), 

fi{dH{p),dH{x')) =p.{p,x'), 

KiP,z)][{q,w),x%w + x”\lz + x' \x”) = p.{p,x')p.{q,x''). 



3.3 Soundness and Completeness 

Definition 18 The probabilistic bisimulation in ACPf is defined in the same 
way as in prBPA. 



122 Suzana Andova 



p ^ x,q ^ y 


p^ x,q^ y 




p\\q'^ x^q + y^p + x\y 

X 


{p,z)][{q,w)'^x\iw + y^z + x\y 

p^x^q^y p^x 


a 

X ^ p 


p\q'^ x\y 
X 


dm{p) dnix) 
x-^p,y q,-f{a,b) = c 


xty-^p\\y 

x-^p,y yt,y{a,b) = c 


x'tv ^ y 

X V^y y,G{a,b) = c 


x\y-^p\\q 

x-^ V,y-^ V,G{a,b) = c 


x\y-^p 


x\y q 


x\y^y/ 


X p,a ^ H 


X ,a H 




dnix) dif(p) 


dH{x) A ^ 





Table 7. Operational semantics of ACP'^ . 



Theorem 19 ^ is a congruence relation on ACP^ . 



□ 



Lemma 20 If p G SV{ACPf) and p x for some closed term x over the 
signature then x G T>'P{ACP^). □ 

Lemma 21 If x G T>V{ACPf^) then x ±±x + x. □ 



Lemma 22 Let p be a closed ACPf term such thatp±±p + p. Then ifp'^ x' 
and p x" for some x' , x" G VV{ACFf), then x' ±±x” . □ 



Theorem 23 (Soundness) Let p and q he closed ACPi^ terms. 

If ACPf + DyPR + DyM G p = q then pt±d- Q 

In order to prove completeness we use the method given in m m, 0-Bya 
trivial check of the conditions in Theorem 4.8 in |H| we can prove the following 
result: 

Theorem 24 (Operational conservative extension) The term deduction system 
determined by the signature and operational rules of ACPf is an operational 
conservative extension of the one for prBPA. □ 

As we need to get an operational conservative extension up to the probabilis- 
tic bisimulation, we need to check if this relation is defined “in terms of predicate 
and relation symbols” . Besides the fourth clause in Definition 0 the probabilistic 
bisimulation relates terms level by level, that is, transition by transition. Using 
the previous theorem for operational conservative extension we obtain that for 
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each closed prBPA term s, its term-relation-predicate diagrams (in our terminol- 
ogy it is a transition system) in both prBPA and ACP^ are the same. Because 
<-> is defined in the same way for transitions in prBPA and ACF^ and the term- 
transition diagrams of s and t {s,t G SV) are the same in both term deduction 
systems, we have that prBPA \- s ±±t ^ \- s±±t. 

Theorem 25 (Completeness) Letp and q be closed ACF^ terms. Ifp±±q then 
ACF^ + DyPR + DyM h p = g. □ 

3.4 An Equivalent Axiomatization 

In this section we give an axiom system that can be considered as equivalent one 
to ACF^ in the sense that a equation of terms that do not contain [j_, | and 
][ operators holds in one theory if and only if it holds in the other theory. The 
main idea for proposing a new axiom system is to find an appropriate theory 
which does not have any extra operators. As it has been already mentioned, in 
order to obtain a complete axiom system of the term model determined by the 
deduction rules in Table 0 and Table 0 the merge with memory operator has 
been added to ACPj. 

We denote the new process algebra by ACPtt- The signature of ACPtt consists 
of the operators of prBPA, three binary operators: |j (merge), [j_ (left merge) 
and I (communication merge) and an unary operator dn (encapsulation) where 
H C A. The axioms of these operators are given in Table 0 together with the 
axioms Dl — DA and PrDA in Tableland the conditional axioms given in Table 

El 



x\\y =x^y + y^x + x\y 

(a;-U 5 - 2 ;')[J _2 -|- y^w -|- {xtikx') \ y = {x^z + y^w + x \ y)tik{x\z + j/lL^c + x' \ y) 
x\\_z + {y±±ky')\i_w + x \ {y±±ky') = {x\^z + y\\_w + x\y)±±k{x\\_z + y\w + x\y') 



a\\_x 


= a ■ X 


a-x'^y 


II 


(® + y)lL2 


= x\\_z + yW_z 


a\h ■ X 


= (a\b) ■ X 


a - x\b 


= {a\b) ■ X 


a- x\b ■ y 


= {a \b)-{x II y) 



Table 8. Additional axioms for ACPt^. 



It can be noticed that the distribution laws PrCMl, PrCM6 and PrCMl 
are not included in this axiom system. As a result of this, if we consider this 
theory as an extension of prBPA then the Elimination theorem does not hold 
anymore. 
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4 PAR Protocol 

In this section we consider the PAR protocol (Positive Acknowledgement with 
Retransmission protocol) as it is described in We give a specification in 
ACP^ of the constituent processes of the protocol and of the whole system. In 
order to do a performance analysis of the system non-determinism has to be 
resolved. Using only a partial ordering of the set of atomic actions and pre- 
abstraction we derive the recursive specification of the behaviour of the protocol 
which can be viewed as a Markov chain. 




4 



K 



L 



R 



6 



2 



Fig. 3. Components of the protocol 



The protocol is modeled as five processes, one sender process S, which is 
equipped with the timer T, one receiver R and two communication channels K 
and L, Figured The sender sends a message to the receiver via a communica- 
tion channel, starts the timer and after that it waits for an acknowledgement. 
After having received a message the receiver writes the message at the output 
port and sends an acknowledgement to the sender. A control bit is used in order 
to avoid multiple writing of a message at the output port. If a message or ac- 
knowledgement is sent via the (unreliable) channels K or L three situations can 
happen: 1) the message is transmitted correctly 2) the message is damaged in 
transit 3) the message gets lost in the channel. If the sender receives a damaged 
acknowledgement it sends a duplicate of the sent message. If the sent message 
or the acknowledgement has been lost in the channel no other action can be per- 
formed except the time-out communication action between T and S. When the 
sender gets the time-out message from the timer it sends a duplicate of the sent 
message. Unreliability of the channel K (in the similar way it is specified for the 
channel L) is specified by the probabilistic choice operator: correct transmission 
of a message with probability tt, corruption of a message with probability cr and 
loss of a message with probability 1 — tt — cr. 

Let Z? be a finite set of data. The set of atomic actions A contains read, send 
and communication action and k and I actions which present loss of a message 
and acknowledgement, respectively. We use the standard read/send communi- 
cation function given by rk{x) |sfc(a;) = Cfc(x) for communication port k and 




Process Algebra with Probabilistic Choice 



125 



message x. The specifications of the five processes are given by the recursive 
equations in Figure 0 



Sender : 

S = 5o 

St ^Y.ri{d)-St (6 = 0 , 1 ) 

dGD 

St = S 3 {db) ■ S7{st) ■ WSt 

WSt = rsiack) ■ Si-t + (r5(-L) + rrito)) ■ St (6 = 0, 1, d G B) 

Receiver : 

R = Rq 

Rb =r4(-L)-i?6+ E ^4(d 1-6). E ^4(d6). 52(d)- (6 = 0,1) 

deD d£D 

SRh = se(ack) ■ Rt (6 = 0, 1) 

Timer : 

T =r7{st)-T^ 

= r 7 {st)-T^ + S 7 {to)-T 
Channels : 

K= E rs(d6) • (s4(d6)-U5-S4(-L)-tfcA:) • if 
deD,6e{o,i} 

L = rs{ack) ■ {s 5 {ack)- 0 -pS 5 {±)- 07 il) ■ L 



Fig. 4. Specification of the five components of the protocol. 



As it is proposed in in order to verify the protocol we use a unary priority 
operator 0 in the given specification, as well. In Table 0 and Table nni we give 
the axioms of the priority operator and axioms of the auxiliary unless operator 

o. We note that the Elimination theorem of the priority operator holds for closed 
terms, but it is not the case with the unless operator because distribution laws 
with probabilistic choice are missing. But in the theory we do not consider this 
as a problem, because in specification of processes this operator appears only 
as an auxiliary operator of the priority operator and conditional axiom DyTHS 
guarantees that this operator does not appear between probabilistic processes. 

On the set of atomic actions A the following partial ordering is defined: 

1. a < C7{st), for each a G A \ {07(56)}; 

2. 07(60) < a, for each a G A \ (07(60)}. 

The action 07(60) has a lower priority than every other atomic action because 
a premature time-out can disturb the functioning of the protocol. In order to 
express that immediately after sending a message the timer is started the action 
07(56) has been given a higher priority than the other actions. (This assumption 
is very realistic because in such a system a communication between the sender 
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and the timer is usually faster than a communication between other processes 
in the system.) 



0{a) = a THl 

e(x ■ y) = 0{x) ■ 0{y) TH2 
0{x±±T,y) = 0{x)±±T,0(y) PrTHA 



X = X + x,y = y + y ^ 0{x + y) = 0{x) <y + 0{y) < x DyTHS 



Table 9. Axioms for the priority operator. 



a<b 


= a 




if -^(a < 


b) PI 


a<b 


= 5 




if a < 6 


P2 


x<i{y-z) 


= x<y 






P3 


x<i{y + z) 


= ix<3y) 


< z 




P4 


X ■ y <z 


= {x <1 z) 


■ y 




P5 


[x y) <z 


II 

A 


+ {y<z) 




P6 



Table 10. Axioms for the unless operator. 



The behaviour of the protocol is obtained by composition of the five processes: 
PAR = tioOo dniS \\T\\K\\L || R), 



where 

H = {ri{x), Si{x)\i € {3,4, 5,6,7},a;G (D x {0,1})U {ack, _L, st, to}} 

is the set of encapsulated atomic actions and tj is the pre-abstraction operator 

(PI), that renames all internal action from the set 

I = {ci{x)\i € {3,4, 5,6,7},a;G {D x {0,1})U {ack, _L, st, to}} U {k,l{ 

into t. 

Shortly, we will describe how non-determinism is resolved in the derivation 
of the recursive specification given below. First of all, non-determinism which 
occurs as a result of conditional axiom DyM is resolved by using the encap- 
sulation operator. Then, by merge of atomic actions of processes in the par- 
allel composition, two sub-processes which contain non-determinism between 
processes are obtained. In the first case, we obtain the following sub-process: 
C’j{st) ■ Q + {c 4 {db) ■ X±±i^C 4 {±) ■ Y • Y), for some processes Q,X and Y. 
Then, applying the distribution laws and the axioms of O operator, by taking 
into account the partial ordering of the set of atomic actions, we obtain that 
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0{cr{st) ■ Q + {ci{dh) ■ X-tbrC 4 (_L) • Y ■ y)) = C 7 (st) • 0{Q). (This situa- 
tion corresponds to the state of the system in which in parallel the timer might 
be started or the message might be delivered to the receiver and as a result 
of the interleaving model non-determinism occurs. Under the assumption that 
the timer is started immediately after sending the message from the sender, it 
follows that this non-deterministic choice actually is deterministic.) 

In the second situation we obtain non-deterministic choice between c^ito) ■ R 
process and some other process P which may be in a form a ■ Z b ■ U th, c-V or 
a • Z for certain processes R, Z, U, V and atomic actions a, b and c. (There are 
more variants where non-determinism with CT{to)-R occurs and we consider all of 
them in general.) Again, using the axioms of O operator and axioms of ACP^ and 
the partial ordering defined on the set A we obtain that 0(cr(to)-R+P) = 0{P) 
and P does not have non-determinism as a top operator. 

We can derive the following recursive specification for PAR: 

Po = Y. ■ Pi P4 = t-t- Pa 

d£D 

P\ = t ■ t ■ {t ■ P2 tbr t ■ t ■ Pi) P5 = t ■ t ■ t ■ Pq 

P2 = S2{d) ■ P3 Pq = t- P3 i=b-t ■ P5 

P3 = t ■ {t ■ Po-ttpt ■ Pi-ttrjt ■ P5) 



The behaviour of the whole process is depicted in Figure 0 In order to obtain 
a clearer transition system we omit the labels that present probability 1 and we 
join a probabilistic and an action transition into one edge. If we abstract from 
the content of message sent from the environment this transition system can 
be considered as a labelled Markov chain. Further using Markov chain analysis 
various results for the behaviour of the protocol can be obtained. We can prove 
liveness of the protocol by showing that state Pq in Figure 0is a recurrent state. 
Moreover, because tj operator does not reduce the number of internal actions we 
can compute the mean number of actions that are executed between reading of 
two successive data (between two read actions from environment) of the protocol 
by computing the mean recurrence time of state Pq. For example, for tt = 0.95, 
p = 0.92 and 77 = 0.07 this mean number of atomic actions is 7.71. 

5 Conclusions and Future Work 

The objective of this paper is to introduce a probabilistic version of AGP where 
non-determinism and probability are combined. The presented probabilistic pro- 
cess algebra A UFjlr improves the variant of probabilistic process algebra proposed 
in PJ. In order to get a more effective axiom system we have proposed a new 
variant of an extension of prBPA with parallel composition. Following the idea 
of A UP-like process algebras for the interleaving model we have given the axiom 
system where only parallel dynamic processes are merged. In order to realise 
this concept we have added an extra quaternary operator, ][ called merge with 
memory. 
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Fig. 5. The behaviour of the whole system. 



The operational semantics of ACP^ is based on the alternating model and 
it has been defined by a term deduction system of which the signature contains 
an extended set of constants (each atomic action has a dynamic counterpart) 
and of which the deduction rules include two transition types: probabilistic and 
action transition. Instead of labelled probabilistic transitions we have defined the 
probability distribution function which gives a probability with which one prob- 
abilistic transition may occur. In the construction of the term models we have 
used probabilistic bisimulation and we have shown soundness and completeness 
of the term model with respect to the proposed axiom systems. 

Dealing with the PAR protocol with unreliable channels we have investi- 
gated the applicability of ACP^ . We have given a specification in ACP^ of the 
constituent processes of the protocol and of the whole system. In order to do 
a performance analysis non-determinism has to be resolved. Using in addition 
only the priority operator and the pre-abstraction operator we have obtained 
a recursive specification of the behaviour of the protocol that can be viewed 
as a Markov chain. Our results indicate that for more complex protocols where 
pre-abstraction does not help, in order to verify some properties of a system, non- 
determinism can be resolved by standard methods used in ACP, for instance ab- 
straction, applied only for sub-processes where non-determinism occurs. In that 
sense one of the directions in our further research is to investigate possibilities 
of combining abstraction and probability. 

We mention as a possible option for future work the integration of a timed 
and probabilistic version of ACP. 
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Abstract. In this paper we present a sound and complete axiom sys- 
tem for a probabilistic process algebra with recursion. Soundness and 
completeness of the axiomatization is given with respect to the testing 
semantics defined in d2|. 



1 Introduction 

During this decade researchers in process algebras have tried to close the gap 
between formal models and real systems. In particular, features which were ab- 
stracted before have been introduced in these models. This is the case of prob- 
abilistic information. Several models have introduced probabilities into process 
algebras, and in models are classified with respect to the interpretation of 
probabilities in three groups: reactive, generative, and stratified. In the reactive 
model there is a different probability distribution for every action, that is, there is 
no probabilistic relation between different actions. In the generative model there 
is one probability distribution for all the actions. The stratified model is similar 
to the generative model but taking into account the probabilistic branching. We 
will try to explain the differences among these models by means of a few simple 
examples. Consider the (reactive) process P = (a; Pi -|-i a; P2) -I- {b; Qi +l b; Q2). 
If the environment offers a then P will execute a and then it will behave as either 
Pi or P2 with probabilities ^ and |, respectively. Something similar happens if 
the environment offers the action b. Nevertheless, it is not specified how this 
process would behave if both actions were offered simultaneously. Consider the 
(generative) process P' = (a; Pi -|- 1 6 ; P2) • If the environment offers a then P' will 
execute a with a probability 1 and then it will behave as Pi ; if the environment 
offers b then P' will execute b with a probability 1 and then it will behave as P2 ; 
if the environment offers both a and b then P' will execute a, with a probability 
i, or it will execute 6, with a probability |. Finally, the processes (a + i b) -I -2 c 
and a + i {b + i c) are equivalent in the generative model but they are not in the 
stratified one. In this paper we consider a generative interpretation of probabil- 
ities based on the following approach: it allows to specify probabilistic systems 
more precisely that the reactive interpretation, while the (semantic) models are 
not so complicated as the ones based on the stratified interpretation. 
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Regarding the testing framework, there have been several proposals for prob- 
abilistic extensions (e.g. [31512311 hll 81411 Oil 1 1 1 . In this paper we will consider an 
extension of the language PPA described in m- PPA is a probabilistic pro- 
cess algebra featuring two (probabilistic) choice operators: external and inter- 
nal. Sometimes it has been argued that the external choice operator should 
not be extended with a probability, and in fact there are proposals featuring a 
probabilistic internal choice while the external choice operator does not have a 
probability parameter (e.g. 1231 b Instead, we consider useful to have probabili- 
ties in both operators for a number of reasons. First, in order to have the same 
expressive power with our language as with a CCS-like language^ we need to 
include probabilities in both operators. For example, we could not simulate the 
simple (generative) process a +p b which relate a and b probabilistically, with a 
nonprobabilistic external choice. Second, by working with two choice operators 
we automatically get that the testing equivalence is a congruence, and so we can 
axiomatize it (working with a CCS-like operator we need, as usual, to consider 
the largest congruence contained in the testing equivalence). Finally, there are 
behaviors which can be specified more precisely by using a probabilistic external 
choice operator. We will illustrate this by means of a simple example. Suppose 
that we want to specify the behavior of a library where two users can request 
books. If only one user requests a book then the book is given to him, but if both 
users request the same book the library must give priority to one of the users. On 
the other hand, the system must be somehow fair, avoiding the possibility that 
if the two users request the same book, this book is always given to the same 
person. A simplified version of the system can be specified as P = a; P + 1 b; P , 
indicating that if both users request the same book, it will be given with a prob- 
ability j to the user a and with a probability | to the user b. Note that if we use 
a probabilistic internal choice then there is no guarantee that if only one user 
requests the book, it is given to him, while if we use a nonprobabilistic external 
choice then we cannot specify the notion of priority. 

An interesting alternative appears in m where the probabilistic external 
choice operator is considered as an operator derived from the probabilistic inter- 
nal choice and the priority operators. Nevertheless it is also necessary to include 
some kind of probability (the extremal value 1) in the external choice operator. 

Besides, PPA allows the definition of recursive processes. Moreover, in this 
paper we extend the language described in with a parallel operator. Our 
parallel operator is parameterized by a set of actions (the synchronization set). 
Regarding probability parameters, no agreement has been reached about the 
parallel operator (see Q for a discussion on the different possibilities) . There are 
proposals with a probability parameter which assigns weights to the interleaving 
actions of both components (e.g. EEHl) ; alternatively, there are proposals adding 
two probability parameters assigning weights to the interleaving actions with 
respect to the synchronization actions, and assigning weights to the interleaving 
actions of both components, respectively (e.g. [P). In any case, we claim that 



^ Actually, most of probabilistic models are based on CCS, or in labeled transition 
systems (which can be easily interpreted as CCS processes). 
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these parameters only change the probability with which actions are executed, 
while the operational behavior remains the same. Taking this into account, and 
for the sake of simplicity, in this paper we consider a parallel operator without 
any probability parameter, but other alternatives can be easily included in our 
framework (they are discussed in ca)- 

The main goal of this paper is to provide a complete and sound axiomati- 
zation of testing equivalence for PPA. In m a probabilistic extension of the 
classical testing semantics |iSf 1 2\ was defined. Besides, an alternative character- 
ization of the testing semantics (based on an extension of acceptance sets) as 
well as a fully abstract denotational semantics (based on acceptance trees) were 
given. So in order to conclude the semantic trilogy (alternative characterization, 
denotational semantics, and axiomatic semantics), a suitable axiomatization of 
the probabilistic testing semantics should be defined. The starting point for the 
definition of this axiomatization is (as it was for the other semantics) ^2|- As 
it will be shown in this paper, some of the axioms are (more or less compli- 
cated) probabilistic versions of the axioms corresponding to the nonprobabilistic 
case, while we must add new axioms in order to cope with the specific problems 
introduced by probabilities. 

There have been previous proposals for probabilistic axiom systems. For ex- 
ample, using Synchronous PCCS and generative probabilities mm, or with 
reactive probabilities ng. An axiomatization for a subset of PCCS is presented 
in m, and in P an axiomatization for AGP finite processes is given. These two 
proposals also use generative probabilities. Nevertheless, there exists an impor- 
tant difference between all these previous axiomatizations and ours: all of them 
axiomatize (strong) probabilistic bisimulation, in which there is no abstraction of 
internal movements (i.e. r actions, or equivalently internal transitions). In fact, 
observational semantics cannot be directly translated from the nonprobabilistic 
setting, and a suitable definition of probabilistic weak bisimulation for general 
probabilistic systems was an open problem until 0. The problem is that there 
exists some kind oi fairness in these semantics. Consider P = recX. (a; Nil) (Bp X 
(or P — fix X. {a; Nil) +p (r; A) using a CCS-like notation). If we forget prob- 
abilities, P is must equivalent to divergence (because of the r loop), but in a 
probabilistic setting we would expect that if the environment offers a then P 
would execute it with probability 1, and so, P should be (probabilistic) testing 
equivalent to a; Nil. This example illustrates why the axiomatization of our test- 
ing equivalence cannot be a simple adaptation of the one for nonprobabilistic 
processes. We will need a rule to express that this kind of recursively defined 
processes have the same meaning as a finite one (in the previous case, a; Nil). 

The work presented in jS] is the most similar to ours. The main differences 
between their work and ours are that while our testing semantics is defined 
following the classical approach (i.e. parallel composition of tested process and 
test), theirs is defined in an unusual {ad hoc) way; besides, they use a reactive 
interpretation of probabilities (within a probabilistic external choice) which leads 
to a simplification of the external choice treatment, but complicates the intuitive 
interpretation of some processes. 
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As far as we know, the axiomatization presented in this paper is the first one 
for a semantics abstracting internal movements (in this case a testing semantics), 
where recursive processes are allowed and probabilites are interpreted using the 
generative model. 

The rest of the paper is structured as follows. In Sectional we recall previous 
results for our calculus. In Section 0 we present a sound and complete axiomati- 
zation for finite processes without parallel composition. In Section^we consider 
recursion, and the previous axiomatization is extended to deal with recursive 
processes. In Section we give axioms for the parallel operator, showing that 
this operator can be considered as a derived one. Finally, in Section]^ we present 
our conclusions and a discussion about the inclusion of hiding in our language. 

The full proofs of the results in this paper can be found in ca 

2 Preliminaries 

In this section we review our previous results for PPA. The only difference be- 
tween the language described in this paper and the one presented in na is that 
here we have included a parallel operator. The composition of a process and a 
test will be defined using the parallel operator of the language. Besides, negative 
premises in our former operational semantics have been replaced by a syntactic 
predicate stable, and a new function live. Anyway, the induced labeled transition 
systems remains the same as previously. 

Definition 1 Given a set of actions Act and a set of identifiers Id, the set of 
PPA processes is defined by the BNF expression: 

P-.~ Nil] n\X\a-P\P®pP\P+pP\P\\AP \ recX.P 

where p € (0, 1), a € Act, A C Act, and X € Id. □ 

From now on, except if noted, we only consider closed processes, that is 
processes without free occurrences of variables, and we will omit trailing occur- 
rences of Nil. In this process algebra Nil is a deadlocked process, 17 is a divergent 
process, a; P denotes the action a prefixing the process P, P (Bp Q denotes an 
internal choice between P and Q with associated probability p, P +p Q is an 
external choice between P and Q with associated probability p, P m Q is the 
parallel composition of P and Q with synchronization alphabet A, and finally 
recX.P is used to define recursive processes. 

Next, we give a syntactic definition for the stability of a process. It expresses 
that a process has not unguarded internal choices, or equivalently that a process 
will not be able to execute an internal transition. We also define a function live 
computing whether a stable process is operationally equivalent to Nil. 

Definition 2 We define the predicate stable{P) over PPA processes as: 

— stable(Nil) = stable {a; P) = True 

— stable{fl) = stable{X) = stable{P\ 0 p P2) = stable (recX.P) = False 

— stable(Pi -bp P2) = stable(P\ ||a P2) = stable(Pi) A stable(P2) 
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;. 1. Operational Semantics of PPA. 



We define the function live{P) over PPA processes as: 

— live{Nil) = 0 

— live{a; P) = 1 

— live{Pi +p P 2 ) = live{Pi ||a P 2 ) = max(Zi?;e(Pi), live{P 2 )) 

Note that live{-) is not defined for non stable processes. The set of rules defining 
the operational semantics is given in Figure^ There are two types of transitions. 
The intuitive meaning of an external transition P — >p Q is that if the environ- 
ment offers all the actions in Act, then the probability with which P executes a 
and then behaves as Q equals p; the meaning of an internal transition P > — >p Q 
is that the process P evolves to Q with probability p, without interaction with 
the environment. 

In order to avoid the problem of deriving the same transition in different 
ways, we use multisets of transitions. For example, consider P = a -|-i a. If we 
are not careful, we will have the transition P NjZ only once, while we 

should have this transition twice (that is why we use multisets). This problem 
is similar for the 0p and m operators. So, in our model, if a transition can be 
derived in several ways, we consider that each derivation generates a different 
instance. In particular, when we define the testing semantics we will consider 
multisets of computations as well. Other approaches to solve this problem are to 
index transitions (e.g. jS)), to increase the number of rules (e.g. H3I), to define a 
transition probability function (e.g. lasDi), or to add the probabilities associated 
with the same transition (e.g. ESI). 
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While the rules for prefix, internal choice, divergence and recursion do not 
need any explanation, we will briefly explain the rest of the rules. {EXT\ — 3) 
indicate that whenever any of the arguments of an external choice can evolve 
via an internal transition, these transitions are performed until both arguments 
become stable. {EXTA— 5) are applied when both processes are stable and (at 
least) one of them may execute some observable action. The value q is obtained 
by normalizing the probability q of performing this external transition, taking 
into account whether one or both processes can perform external transitions. 

Example 1 Let P = (a; Nil) +p Nil. We have P — Nil, while if we would 
not use this normalization we would obtain P ~^p Nil. □ 

Rules {PARI — 3) are similar to {EXTl — 3). If none of the processes can 
perform internal transitions, then rules {PARA — 6) are applied. {PARA — 5 ) deal 
with interleaving actions, while {PAR6) deals with synchronization actions. As 
usual, in these last three rules we use a normalization factor, yi{P, Q, A), in order 
to obtain that the sum of all the external transitions is 1 (or zero if no transition 
is possible): 

g{P, Q, A) = \p-q\ 3P', g' : P P' A Q g' r 

+ Y.stA\p\^P' ■■ P^rP'\ + Y.stA\^\^Q' ■■ 

As a consequence of this definition of operational semantics, we have that 
internal and external transitions are not mixed, and then we have the following 

Lemma 1 Let P be a process. If there exist p, P' such that P > — P' then 
there do not exist q, a, P" such that P ~^q P" , or equivalently if there exist 
p, a, P' such that P ~^p P' then there do not exist q, P" such that P > — >q P". 

□ 

We finish this section generalizing the choice operators to deal with an arbi- 
trary (finite) number of arguments. For the generalized external choice we will 
use a restricted form, in which all the arguments are prefixed by different ac- 
tions. These operators will be used, in particular, when we define the notion of 
normal form. 

Definition 3 Let Pi, P 2 , . . . , P„ be processes, and m, 02 , . . . , fln G Act different 
actions. We inductively define the generalized external choice by 

1 71 71 — \ 

1. ^[1] oi; Pi = oi; Pi 2. ^bi] oq Pi = (oi; Pi) -fpi Oi+i; Pi+i) 

i=l i=l i=l 

where pi,P 2 , ■ ■ ■ ,Pn >0 are such that '^Pi = 1. 

We inductively define the generalized internal choice by 
0 1 

l.^[pi]Pi = P 2. 0[l]Pi=Pi 

i=l i=l 

71 71 

3- 0bi] Pi = 0[t-1 Pi ®P ^ [if P = J2Pi < f U > 0] 

i=l i=l 
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n 71 — 1 

4- 0bi] Pi = Pi ®P1 (0[f^] Pi+i) [if J2Pi = f > f[ 

where pi,P 2 , ■ ■ ■ ,Pn >0 are such that '^Pi <1- □ 

Let us remark that the sum of the probabilities associated with a generalized 
internal choice may be less than 1. The difference between 1 and this value 
indicates the probability of divergence. In this case the third clause is applied first 
so that the sum of the probabilities associated with the remaining generalized 
internal choice is equal to 1 (afterwards the second or the fourth clauses will 
be used). We consider that the empty summation (i.e. Pi) represents the 

process Nil. 

2.1 Testing Semantics 

As in the nonprobabilistic case tests will be just processes where the alphabet 
Act is extended with a new action oj indicating successful termination. The 
operational semantics of tests is the same as the one for processes (considering 
Lu as an ordinary action). Now we have to define how a process interacts with 
a test. As usual, this interaction is modeled by the parallel composition of the 
process and the test. We will denote the composition of a process P and a test 
T by P I T, and it is defined as P | T — P \\ Act T. Note that w is not included 
in the synchronization alphabet. Now we will define a function computing the 
probability with which a test is passed by a process. 

Definition 4 Let Pq be a process and Pq be a test. A computation is a sequence 
of transitions C = Pq | Tq i — P i | Ti i — >p.^ ■ ■ ■ P„_i | P„_i i — Pn | Pn • • •, 
where i — >p denotes either > — >p , or — for some a G Act U {tu}. If C is finite 
we say that length(C) = n. 

Let C be a computation such that length(C) = n. We say that C is successful 
if Pn-i I Pn-i ~^p Pn I Pra, and there is no other occurrence of u> in C, that is, 
^n' <n,p' \ Pn'-l I Pn'-l ~^p' Pn' \ Pn' • 

We denote by Cp\T the multiset of successful computations of P | P. We 

define the probability of a successful computation S as Pr(S') = Pi- 

Finally, we define the probability with which the process P passes the test P as 
pass{P,T) = EsGCpir PriS). 

Given two processes P and Q, we say that they are testing equivalent , and 
we write P « Q, iff for all test P we have pass{P, P) = pass{Q, T). □ 

Note that pass{P,T) = lim„^ooX[{| -^’’(‘5') ^ Cp\x A length(S) < n\. Let us 

remark that the role played by tests of the form a+p (t; uj) in other models (e.g. 
021) is played in our model by tests of the form a+piv, which are not trivially 
passed within our framework. For example, the process P = a passes the test 
above with a probability 1 — p. 

In the following, we will show that the whole family of tests can be reduced 
to a simpler class of tests. Although this fact is not important for the axiomatic 
semantics, it strongly simplifies soundness proofs. First, we have that infinite 
tests (i.e. tests having occurrences of recursion) are not necessary. 
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Lemma 2 P k, Q for all finite test T we have pass{P, T) = pass{Q, T). □ 

Now we define a set of essential tests, called probabilistic barbs, with sufficient 
discriminatory power to distinguish any pair of non-equivalent processes. These 
probabilistic barbs are very similar to probabilistic traces |24| if we consider the 
latter as probabilistic tests. 



Definition 5 The set of probabilistic barbs, denoted by VB, is defined by means 
of the following BNF expression: 



T ::= ^[Pi] {at; Nil) +p oj \ ^[Pi] ai;7i 



where p G (0, 1), = 1 , and G Act. 



where Ti = 



T if i = s 
Nil otherwise 



□ 



Theorem 1 P « P' iff for all T G VB we have pass{P, T) = pass{P' , T). □ 

In the rest of this paper, mainly in some of the proofs, we will use the de- 
notational semantics for PPA given in PH). Anyway, previous knowledge of this 
semantics is not necessary in order to understand the bulk of this paper. In this 
paper we use the following: 

— The denotational semantics of a syntactic process P is denoted by |P] . 

— The semantic order relation and its induced equivalence are denoted by Epat 
and =PAT respectively. 

— The probability with which a process P reaches a node labeled by the state A 
of its semantic tree after a sequence s is denoted by p( |P] , s. A) . In particular, 
if P = Pi ©pP 2 , then p(|P],s, A) = p • p(|Pi], s, A) -b (1 -p) • p(|P 2 l, s, A). 

— The denotational semantics of recursive processes is given by their finite 
approximations . 

— (Full Abstraction) Let P, Q be PPA processes. Then, P Q iff |P] =pat [Q1- 



3 Axiomatization for Finite Processes 

In this section we will define an axiom system inducing an equivalence relation, 
denoted by =, among the terms of the language PPAy^^j which is the subset of 
PPA where neither m nor recX.P have been included. We will also use an 
order relation C to define this equivalence relation. This system includes axioms 
expressing algebraic properties of the operators as well as relations among the 
operators like distributivity. We will also present some axioms which are sound in 
the nonprobabilistic framework but not in our case. Soundness of rules (axioms) 
dealing with = will be shown with respect to the testing equivalence, and we will 
frequently use Theorem [Q while soundness of the ones corresponding to C will 
be shown with respect to the fully abstract denotational semantics equivalence 
defined in pUj . Although we will mix soundness (and completeness) proofs with 
respect to either the testing or the denotational semantics, this process is correct. 
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First, we will prove |P] Cp^T |Q] iff F P C Q. From this result, given that both 
Epat and E are preorders, we will trivially get |P] =pat |Q] iff F P = Q an so, 
by full abstraction, we finally obtain the desired result P « Q iff F P = Q. 

The first axioms of our system are similar to those in P2), and they express 
that internal choice is idempotent, commutative and associative, while external 
choice is commutative and Nil is its identity element. Commutativity and asso- 
ciativity are intended up to a suitable rebalance of probabilities. Soundness is 
trivial. 

(II)P©pP = P (Cl) P©pQ = g©i_pP 

(AI) P ©p {Q ©p R) = (P ©p/ Q) ©q/ R, where q'=p + q— p-q and p' = ^ 

(CE) P+^Q = Q +i_p P (NE) P +p Nil = P 

Now, we present some axioms that are not sound in our probabilistic model, 
although they were in nonprobabilistic testing models. First, in general, the 
external choice operator is not idempotent as the following example shows: 

Example 2 Consider the processes P = a © i 5 and P' = P + 1 P, and the test 
T = a;u!. We have pass{P,T) = ^ while pass{P',T) = |. □ 

This fact also appears in models dealing with replication where the choice 
between the same process is not equivalent to the original process. On the other 
hand we have the following: 

Proposition 1 Let P be a stable process. Then, for any p G (0, 1) we have 
P«(P+pP). □ 

Moreover, associativity of the external choice does not hold, even if we in- 
troduce a rebalance of probabilities similar to that used in axiom (AI). 

Example 3 Consider P = a +i (6 + 1 Nil) and P' = (a +2 b) +3 Nil, and let 
T = a;w +1 b]Nil. We have pass{P,T) = i, but pass{P' ,T) — |. This is so 
because P « (a + 1 6) while P' ~ (a +2 b), and obviously (a +1 5) 9^ {a +2 b). 

2 3^ 

This lack of associativity could create problems when trying to define normal 
forms, but fortunately non-associativity only appears in the presence of Nil. 
We can easily solve the problem since, by axiom (NE), we can remove all the 
occurrences of the process Nil in external choices. In short, we have a restricted 
form of associativity that will be enough in order to transform any finite process 
into normal form. 

Proposition 2 Let Pi,P 2 ,Ps be processes such that for all i we have Pi — >, 
that is, stable processes which are not operationally equivalent to Nil. Then, 
Pi +p {P2 +q P3) « (-Pi +p' P2) +q' P3, where q'=p + q-p-q and p' = 
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Next we will introduce axioms dealing with divergence. Soundness proofs 
with respect to Epat are again trivial. 

(D) QQP (DI) (DE) P+pQ = n 

Note that, in contrast with the nonprobabilistic case, P 0p 17 ^ 17 . For exam- 
ple, consider P = a; Nil, and T = a; ui. We have pass{P 0p 17 , T) = p, while 
poss(l 7 , T) = 0 . 

Now, we will consider the distributive laws between the external and the 
internal choice operators. The soundness of the following axiom is easy to prove: 

(DEI) Pi 0p (p2 ©q Pa) = (Pi 0p P2) ©q (Pi +p P3) 

The previous axiom can be generalized to deal with generalized internal 
choices: 

n n 

(DEIG) P +p ( 0 [pi] P) = 0 bi] (P +p P) 

i=l i=l 

On the contrary, the converse distributivity does not hold in general. This is 
illustrated by the following example. 

Example 4 Let P = a 0 1 (6 0 1 c) and Q = {a 0i 6) 0i (o 0i c). We have 
pass{P,a;uj) = 5 while pass{Q,a;uj) = |. □ 

As in the nonprobabilistic case, in order to prove the completeness of the 
logic system we will introduce the adequate notion of normal form. Given that 
in our normal forms we will have generalized external choices instead of binary 
ones, we need an axiom for composing two generalized external choices by a 
binary external choice, called (EBE), and one for composing two generalized 
external choices having the same associated actions and the same probabilities 
by an internal choice, called (IBE). 



Let A = {oi, . . . , o„} C Act and B = {bi, . . . , bm} Q Act. Let us consider the 

n m 

processes P = ap, Pi and Q = bj\ Qj- Then, the following axiom is 

i=i j=i 



sound: 



^ (EBE) P+pQ = R 

where R = ^[rfc] c^; Rk, C = {ci, . . . ,ci} = AU B , and 

k—'\ 

{ p-Pi if Ck = tti e A — B 

(1 - p) • Qj if Ck = bj £ B - A 

p-pi + {l—p) ■ qj if Ck = Ui = bj £ An B 



{ Pi if Ck = tti £ A — B 

Qj if Ck = bj £ B - A 

Pi ©p' Qj if Ck = Cli = bj £ An B A p = 

Let {(ai,pi), (o2,P2)j • • • , (oniPn)} be a non empty state. Then the following 

axiom is sound: 
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(IBE) [Pi] ai- Pi) ©p ^[pi] Oi; Qi = ^bi] “i; {Pi ®p Qi) 

i=l i=\ i=l 



Next we present the soundness proof of the axiom EBE (the proof of IBE 
is easier). First, we give an auxiliary definition. 



Definition 6 Let T = -^*0 +s I be a probabilistic 

barb. We define its set of initial actions, denoted by T, a,s T = {ti, . . . , t„}. 
Given a set of actions C C Act, we define the set Tc as Tc = {ti \ ti G C C\ T}. 

□ 



Lemma 3 The axiom (EBE) is sound. 



Proof. In order to clarify the notation, p{P, Oi) stands for pi and p{Q, bj) stands 
for Qj. Note that applying the rules (EXT4) and (EXT5) we have P ~^q P' 
implies P +pQ -^p-q P' and Q ~^q P' implies P +pQ -^(i_p).q P' . We will 
show that for any T G VB we have pass{P +p Q, T) = pass{R, T). 

U 

If r is a probabilistic barb of the form T = ^[si] {tp. Nil) +s uj, then 

i=l 



pass{P +pQ,T) = 



(l-s)+ ^ ) s.Si-p.p{P,ti) + 'y ( s.Si-(l-p).p(Q,ti) 



hSTA 






1 — s 



(l-s)+ ^ ) s.Si-p.p{P,ti) + 'y ( s.ai-(l-p).p{Q,ti) + ^ ( a.ai.(p.p(P,ti) + {l-p)-p(Q,ti)) 

ti€TA-B tiSTs-A ii&TAnB 

= pass{R, T) 



Let T = ^[si] tf, Ti be a probabilistic barb such that if i = u then Ti = T' for 

i—\ 

some probabilistic barb T' , while Ti = Nil otherwise, we distinguish four cases: 

1. 31<i<n: ai = tu £ A — B 

2. 3 1 < j < m : bj = tu £ B — A 

3. 3 1 < i < n, 1 < j < m : ai = bj = tu £ A C\ B 
Ttn^AuB. 

In the last case we trivially get pass{P +p Q, T) = pass{R, T) = 0. The proof 
for the first three cases is very similar, so we present, as an example, the proof 
for the third case: 
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(Ol) 


peg A Qcp 


(02) 


P=Q 


(03) 


peg A gep 


P=Q 


peg, gcp 


pep 


(Cl) 


peg 


(C2) 


peg A P'eg' 


(C3) 


peg A P'eg' 


a;PCa;Q 


P -\-pP'^Q-\-pQ' 


p©pP'eg©pg' 


(RE) 




(on; 


, peg 


(012) 


, peg 


p=p 


' PQPQpQ 


p©pgeg 



Fig. 2. Inference Rules. 



pass{P +p Q,T) 

Su 'V'Pi - pass (Pi ■(l-p)-qj -pass(Qj ,T') 

_ Su-(p-Pi + (l-p)-qj)-pass(Pi®^,Qj,T') 

'y ' ni-p-p(p,ti) + 'y ' ni-(i-p)-p(Q,ti) + 'y ^ si-(p-p(p,ti)+(i-p)-p(Q,ti)) 
^-i^Ts-A t-i&TAPB 

= pass{R,T), where q' = 

□ 

In addition to the previous axioms, we need a set of rules indicating that the 
relation = fulfills some good properties. The inference rules of our logic system 
are given in Figure 0 Rules (01-3) indicate that C is an order relation. Rules 
(Cl-3) say that C is a precongruence with respect to the basic operators of the 
language. (RE) says that = is reflexive. Finally, (011-2) indicate that internal 
choice occupies an intermediate position between the corresponding processes. 
Soundness of (01-3), (Cl-3), and (RE) rules is trivial with respect to Epat, 
given that the latter is defined compositionally, while the soundness of ( 011 - 2 ) 
can be easily shown with respect to CpAx. 

Definition 7 Given two processes P and Q, we write b PCQ (resp. \- P = Q) 
if PCQ (resp. P = Q) can be derived from the axioms given before and the rules 
given in Figure El □ 

Given that the previous axioms and rules are sound, we automatically get 

Theorem 2 (Soundness for PPAy^^ ) 

For any P, Q G PPAy^^ we have b P E Q implies |P] Epat |Q1 • As a corollary, 
we also have b P = Q implies |P] =pat [Q1, and by using full abstraction of 
=PAT) b P = <5 implies P ~ Q. □ 

This result indicates that if we can derive the equivalence between two finite 
processes from the axiom system, then these two processes are testing equiva- 
lent. In the remainder of the section we will prove that our axiomatization is 
also complete, that is, if two finite processes are testing equivalent, then the 
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equivalence of these processes with respect to = can be derived from the given 
axiomatization. 

In order to simplify the completeness proof we will use a notion of normal 
form, and we will prove that every PPAy^^ process can be transformed into a 
normal form by applying the axioms and rules of our axiom system. Our normal 
forms are similar to those in C21, that is, they will be generalized internal choices 
of generalized external choices. The actions associated with the generalized ex- 
ternal choices prefix normal forms, so that normal forms will be processes which 
have a strict alternation between generalized internal choices and generalized 
external choices. Moreover, we will not allow two generalized external choices 
associated with the same internal choice to have the same set of actions and the 
same probability distribution associated with them. Actually, our normal forms 
are the syntactic expression of the semantic processes described in m- 

Definition 8 Normal Forms are those PPAy^^ processes defined by means of 
the following BNF expression: „ ^ 

A ::= 0 [pi\ aij ; N 

i^l j^l 

where n > 0, 

• Vl<i<n:pi>0Ari>0, and if ri > Othen = lAVl<j<ri: pij > 0 

• y 1 < i < n -.y 1 < k,l < Ti,k I ai^k 7 ^ Ui,i 

• y 1 < u,v < n,u V : ,pu,j)YjZi Y 

Note that, in contrast with we do not force the continuations after the 
same action in different states to be equal. We will use the following alternative 
notation for normal forms: 

A::=0[pa] ^ [Pa]a-Na,A 

AgA. (a,pa)GA 

where A is a finite subset of V{Act x (0, 1]) such that for all A G A, if A fy 0 
then ^ { Pa I (a,pa) G A ]}• = 1. The next result states that any PPAy^^j process 
can be transformed into a normal form by using the axiom system. 

Theorem 3 Given P G PPAy^^, there exists a normal form N such that h P=N. 

Proof. The proof is done by structural induction, and we only present the case 
for internal choice. The proof for Nil, fl, and prefix is trivial, while the proof 
for external choice is similar to the one for internal choice. 

If P = Pi (Bp P 2 , then by induction hypothesis Pi and P 2 can be transformed 
into normal forms Ni and N 2 respectively, such that Pi = Ni and P 2 = A 2 , where 

Ai = 0 [pa] ^ [Pa] a; Pa, A and N 2 = 0[9s] [gi,] b- Qb,B 

AgA (a,pa)GA BGB (b,qfj)GB 

Applying the rules (C3) and (01-2) we obtain Pi ©p P 2 = Ni ©p A 2 . Now, 
applying the axiom (IBE), if necessary, and given that any generalized internal 



An Axiomatization of Probabilistic Testing 



143 



choice can be decomposed into binary internal choices and vice versa, we obtain 
the normal form 

^ = ^ Nc;i?c,c 

cec (c,rc)ec 

where C = AU B and for any C G C we have three possibilities: 



C = AgA-B => 
C = BgB-A => 
C = A = BgAC\B^ 



rc =p- PA A VcGC: Rc,c = Bo , a 

rc = A — p) ■ QB A V c G C : Rc,c = Qc,b 

rc = P ■ PA + A - p) ■ QB A'icG C ■. Rc,c= Pc.a® ppa Qc,b 

PC 



In the first two cases we obtain that i?c,c ^re already normal forms, while 
in the last case we can apply the induction hypothesis to the corresponding 
processes Pc , a and Qc,b in order to get a normal form. Therefore, we have got 
a normal form N such that 0p N 2 = N, and so, applying the rules (01-3), 
we obtain Pi ©p P 2 = N. □ 

Next we present a result stating that if two (semantic) processes are related 
by Epat, then the corresponding syntactic processes are also related by E- 



Lemma 4 Let P,Q G PPAy^^ . Then, |P] Epat |Q] implies P E Q- 

Proof. By Theorem 0 P and Q can be transformed into normal forms by using 
the axiom system. So we can restrict ourselves to the study of the equivalent 
normal forms. Let us take 

[pa] ^ [Pa] a; Pa, A and Q = 0['7fl] ^ Qb,B 

AeA {a,pa)eA BeB i.b,qi,)eB 

where A,B A x (0,1]). Note that p{P,e,A) = pA and p{Q,e,B) = qb- 
The proof is done by using structural induction over the complexity of processes. 
By complexity we mean the depth of processes, that is, the maximum number 
of times that a generalized internal choice (followed by a generalized external 
choice) appears in a row. If two processes have the same depth, we consider that 
a process is more complex than another one if the reachable states of the latter 
are contained in the ones of the former. We have three possibilities: 

• A and B are different • A = B and 3© \ pc A Qc • A = B and V© G A ■■ pc = Qc 

We present the proof only for the first case. So we suppose that A B. Given 
that |P] Epat |Q1, there exists a state B' such that B' G B — A. Moreover, the 
probability in Q of any state belonging to B must be greater than or equal to 
the corresponding one in P. Moreover, since |P] Epat |Q], we have AAB. Then 
we have 

PA < qA < QA + Qb' < gs < 1 

AeA AeA AeA bsb 
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and so the probability of P diverging in its first step is greater than or equal to 
qb' ■ Now, using the axiom (AI), we can rewrite P and Q as: 



P — I °‘\Pa,,A j ©l-qg, P 



. AeA 






Q= I ^ [gb]b-,Qb,B\ ©i-?B' I ^2 [ib']b';Qb',i 

\BeB-B' (b,qi)eB J \b',qt>)<^B' 

Applying axiom (D), we have 

17 C [qb>]b'',Qb',B' 

(b',qy)&B 



( 1 ) 



Given that |P] Epat [Q1, we obtain 

10 ir^] E 0 ^ [qb]b-,QbA 

AeA (a,Pa)eA BeB-B' (b,qb)eB 

and applying the induction hypothesis, given that the states of the right hand 
side process are contained in those of the process Q, we have 

0[t^] E 0 E (2) 

AgA (a,pa)€.A BGB — B' {b,q}j)GB 

Then applying the rule (C3) to equations JU) and (0 we conclude P C Q. □ 
By using the equivalence between =pat and «, and this result we obtain 



Theorem 4 (Completeness for PPAy^„ ) 

For any processes P,QG PPAyj^ we have P ~ Q implies \- P = Q. □ 



4 Extension of the System to Infinite Processes 

In this section we extend the previous results to deal with recursion, adding to 
PPAy^^ recursive processes (we call this language PPArec )• We will work with 
the approximations by finite processes of recursive processes, which are defined 
like in |12j. 

Definition 9 Let P be a PPArec process. For any n G IN, we define the n-th 
finite approximation of P as P^ = 17, and for n > 0: 

• = X, X e Id • mr+^ = mi • = n 

. (a; P)"+1 = a; P"+^ . (P ©p = P"+^ ©p 

• {recX.P)”+^ = P"+i{(recN.P)"/N} • (P +p Q)"+^ = P”+^ +p 
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Note that for PPAyj^ processes it holds that their finite approximations are 
equal to themselves. Also note that each finite approximation is a finite process, 
and therefore we can use the results given in the previous section when reasoning 
about finite approximations. The previous axiom system is extended with three 
new rules: 

(R-1) —7 (R-2) = — 

^ ^ P{recX.P X}nrecX.P ^ ^ P C i? 



(R3) 



V n G IN : P®^ 17 C P 
pep 



The first two rules already appeared in m, and their soundness proofs easily 
follow from the definition of the denotational semantics of recursive processesjj 
Concretely, soundness of (Rl) is trivial because lP{recX.P/X}J = U^i[-P”l> 
while (R2) is sound because we are working within a epo, and so |P] is the least 
upper bound of {|7^*]}“o- 

The rule (R3) is added to our system because of technical reasons. This 
rule is necessary because the semantics of finite syntactic processes (i.e. without 
occurrences of the recursion operator) is given by non compact elements in the 
semantic domain. We will comment more thoroughly this rule when we use it. 



Lemma 5 The rule (R3) is sound. 

Proof. Let us suppose that for all n G IN we have |P 02 ^^ 17] |P]. That 

is, for any n G IN, any sequence s, and any state A, p(|P < 

p(|P], s. A). From the definition of the internal choice semantic function, we have 

p([P © 22 ^ f2|, s, A) = • p([P], s, A) 0 i • p([C], s, A) = • p([P], s. A). 

Taking into account the two previous facts, we have that for any s and A: 

p([-Pl,s,A)= lim ^ •p([P],s,A) <p([P],s,A) 

n — *oo 

which implies |P] ©p^T |P]. □ 



Theorem 5 (Soundness for PPArec ) 

Let P, Q be PPArec processes. We have that \- P = Q implies P ~ Q. □ 

Now we will prove completeness of the axiomatization. First we present a 
result (whose proof is essentially like in |I2]), and then we extend Lemma 0 for 
the case when one of the processes is not finite. 

Lemma 6 Let P G PPAxec • For any approximation P” of P we have h P" CP. 

□ 



Lemma 7 Let P G PPArec , and Q G PPAy^„ . |P] Cp^x |Q] implies P C Q. 

^ As usually, the (denotational) semantics of a recursive process is given by the limit 
of its finite approximations, that is, |recX. P] = Uj^oIF"]. 
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Proof. Given that the finite approximations of P are a chain, such that |P] is 
its least upper bound, we have |P°] Epat ■ • • Epat I^’"] • • • Epat I-P] Epat [Q1- 
Given that the processes P" and Q are finite, we can apply the previous results 
for finite processes, concluding that for all n we have P" EQ> and applying (R2) 
we have P E Q- □ 

Now, let us consider the case where P is finite but Q is not. Given that the 
usual way to assign semantics to recursive processes is by means of their finite 
approximations, the most straight way for proving P E Q would be to guarantee 
that there exists m such that the m-th finite approximation of the process Q 
fulfills |P] Epat [Q™1- Then, given that P and Q"* are finite, we can apply 
Lemma 0 deducing P C Q"*. Besides, we have Q™ E Q (Lemma E|), and so, 
applying (03), we would obtain P E Q- If finite processes were mapped into 
compact (also called finite) elements in the semantic domain, then the existence 
of such an m would be guaranteed, given that if P is a compact element and 
P Epat UP" then there exists P* such that PEpat P*, but unfortunately this is 
not the case, as the following example shows. 

Example 5 Gonsider P = recX.{{a; Nil) 0i X), and Q = a; Nil. It is easy to 
check that the finite approximations of P are given by P" = (a; Nil) 0i_4^ I?- 

By definition we have |P] = U|P”], and so we trivially get |P] Epat U|P"]. 
Moreover, |P] describes a syntactic finite process, because |P] =pat |Q1, and so, 
we should be able to conclude P = Q. By the previous lemma we have P QQ, 
but there does not exist m such that |Q] Epat [P™1, otherwise we would have 

1 = pilQl e, {(a, 1)}) < p([P™], e, {(a, 1)}) = 1 - ^ 

which is not the case. So, we have found a finite (syntactic) process, a; Nil, which 
semantics is the least upper bound of the infinite nontrivial chain {|P”]}))Ei- 

□ 

The previous example shows that in general we must use another way in 
order to deduce P E <3 from |P] Epat [Q1- This is the reason why the rule (R3) 
was included in our logic system. This is an important difference with respect to 
m where finite processes are mapped into compact elements. Note that even 
if we delete probabilities, the previous example is not correct in the classical 
testing theory, given that 17 is a zero of 0 (17 is also a zero of the external 
choice and parallel operators), and so the rule (R3) is not sound in that setting. 
Let us remark that the only compact element of the semantic domain is the 
one corresponding to divergence, given that for any process P different from 
17 we can always construct a succession, for instance P” = P 0.^0^ 17, such 
that P is lower than the limit (actually |P] = U|P"]) while for any n we have 
I-Pl Epat [P"1 does not hold. 

Lemma 8 Let P G PPAyj^ and Q G PPA^ec • |Pl Epat [Q1 implies P E Q- 

Proof. We have |P] Epat [Q1 = Ll|(3”]. If there exists m such that |P] Epat 
|Q™1, then the proof can be done as previously indicated. So, let us suppose that 
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there does not exist such an m. Given that {Q"} are a chain, for any sequence 
s and any state A, we have p(|P], s, A) < p(|Q], s, A) = lim„^oo pdQ"], s, A). 

Let us consider those sequences s and those states A such that p(|P], s, A) > Q 
We have that for all A: > 0, (1 — ^) -pdPjjSjA) < lim„^oo p([Q"], s, A). Note 
that (1 - i) •p(|P],s, A) =p(|P©i_i 171, s, A). 

Given that P is a finite process, the set of (s. A) pairs verifying p{ |P] , s. A) > 0 
is finite. So, for each fc G IN there exists Ufc G IN such that for any sequence s 
and any state A, such that p(|P],s,A) > 0, we have p(|P ®i-i 17], s, A) < 
p([Q"'‘]) s, A). Obviously, if p(|P], s'. A') = 0 then the previous result also holds, 
and so we have |P ®i_.i 17] Epat and given that P ®i_ i 17 and Q"'*’ are 

finite processes, we can apply Lemma EJobtaining P©i_i 17CQ”'“, for all fc G IN. 
Again, given that for all n G IN, Q" E we have for all fc G IN, P ©i_i 17 E <3, 

k 

and so, applying (R3), we conclude P E Q- □ 



Theorem 6 Let P,Q be PPArec processes. |P] Epat |Q| implies P E Q- 

Proof. If either P or Q is finite, then we apply Lemmas and El Otherwise, 

by the definition of (semantic) finite approximations we have that for all n G IN, 
|P”| Epat |P], and given that Epat is a preorder, we have |P”| Epat |Q|- Now, 
by Lemma El we have P" E Q, and applying (R2) we conclude P E Q- □ 

Again, by the previous result and the equivalence between =pat and « we get 

Theorem 7 (Completeness for PPArec ) 

For any processes P, Q G PPArec > we have P ~ Q ==> \- P = Q. □ 

5 Extension of the System to the Parallel Operator 

In this section we give some axioms for the parallel operator showing that it can 
be considered as a derived one in the sense that it can be completely eliminated 
in finite processes (by transforming processes where the parallel operator appears 
into equivalent processes without occurrences of the parallel operator), and that 
the occurrences of the parallel operator in recursive processes can be sunk in 
such a way that there will be occurrences of the parallel operator but not in 
the head of the expression (that is, these processes can be transformed into head 
normal form) . 

These axioms indicate that the parallel operator is commutative and dis- 
tributes over the internal choice. Moreover, we have an axiom indicating that 
the parallel operator is strict, and that it can be eliminated if both processes are 
Nil. We also have an expansion axiom similar to that in nonprobabilistic process 
algebras. Finally, we have a rule indicating that this operator is congruent. Let 
us comment that even though a parallel operator was not included in m, and 
so its (denotational) semantic function is not included there, this function is not 
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used in this paper given that soundness proofs of the following axioms are easy 
with respect to « (the corresponding semantic function is given in El)- 

n n 

(CP) P\\aQ = Q IU P (DPIG) P IU (0[Pi] Pi) = 0N {P IU Pi) 

i=l i=l 

(DP) P ||a = i^P) NiI\\a Nil = Nil 



Let A = {ai,...,a„} C Act and B = (bi, . . . ,bm} C Act. If we consider the 

n m 

processes P = i] Oil Pi and Q = bj \ Qj, then the following axiom is 

i=l i=i 

sound 



(EP) P\\xQ = R 



where R = Cfc; Rk, C = {ci, . . . ,ci} = {A\J B) — X \J {AC\ B C\ X), and 

fc=i 

{ Pi ■ qj if Ck = Oi = hj e X 

Pi if Ck = Ui £ [A — B) — X 

qj if Ck ^bj£{B-A)-X 
Pi + Qj if Ck = ai = bj £ {An B) — X 



Rk 



Pi II X Qj if Ck — di — bj £ X 

Pi ||x Q A Ck = di £ {A — B) — X 

P\\xQj A Ck = bj £{B-A)-X 

{Pi ||x Q) ©p' {P ||x Qj) if Ck = di = bj £ {An B) - X A p' = ^ 



Note that this last axiom can be applied to the process Nil (i.e. empty gen- 
eralized external choices), so that the combination of (NP), (DP), and (EP) 
will allow to remove trailing occurrences of the parallel operator. 

Finally, we have that = is a congruence for the parallel operator, that is, we 
have the following rule: 



(C4) 



P=P' 

P \\a Q = P' IU Q 



6 Conclusions 

We have presented a sound and complete axiomatization of probabilistic testing 
with generative probabilities. The rules and axioms have been presented in three 
steps: first, we studied finite processes without parallel composition, then, we 
extended the previous axiomatization to deal with recursively defined processes, 
and finally, we gave sound axioms which indicate that the parallel operator can 
be considered as a derived one from the rest of operators. 

A possible extension of our work would be to include some kind of hiding 
or restriction operator. Our results in HH show that such inclusion is far from 
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easy if we want to have this operator as a derived one. Specifically, consider the 
following processes 



If we make an interpretation of hiding a la CCS, that is, considering that P be- 
haves like a -|-p r; b, and we use a suitable definition of testing (e.g. |^) we have 
that given p, in general, there do not exist values 0 < p',qi . . . qn,Pi ■ ■ - Pn < 1 
such that P and Q are probabilistic testing equivalent. We have an additional 
result. After a complicated redefinition of the parallel operator (using prenor- 
malization factors) we got that P could be equivalent to the process (a-bi b) (Bpb, 
where -bi indicates a priority operator similar to that in m- We worked out 
a definition of the new semantic model but it was so unmanageable that we 
decided not to include priorities in our framework. 

Acknowledgments: I would like to thank my advisor, David de Frutos, for 
his advice and encouragement. I also would like to thank Scott Smolka for many 
valuable comments as member of my PhD thesis committee which have improved 
the quality of this paper. 

References 

1. J.C.M. Baeten, J.A. Bergstra, and S.A. Smolka. Axiomatizing probabilistic 
processes: AGP with generative probabilities. Information and Computation, 
121(2):234-255, 1995. 

2. C. Baier and H. Hermanns. Weak bisimulation for fully probabilistic processes. In 
Computer Aided Verification’ 97, LNCS 1254, pages 119-130. Springer, 1997. 

3. I. Christoff. Testing equivalences and fully abstract models for probabilistic pro- 
cesses. In CONCUR’90, LNCS 458, pages 126-140. Springer, 1990. 

4. R. Cleaveland, I. Lee, P. Lewis, and S.A. Smolka. A theory of testing for soft 
real-time processes. In 8th International Conference on Software Engineering and 
Knowledge Engineering, 1996. 

5. R. Cleaveland, S.A. Smolka, and A.E. Zwarico. Testing preorders for probabilistic 
processes. In 19th ICALP, LNCS 623, pages 708-719. Springer, 1992. 

6. F. Cuartero, D. de Frutos, and V. Valero. A sound and complete proof system for 
probabilistic processes. In fth International AM AST Workshop on Real-Time Sys- 
tems, Concurrent and Distributed Software, LNCS 1231, pages 340-352. Springer, 
1997. 

7. P. R. D’Argenio, H. Hermanns, and J.-P. Katoen. On generative parallel composi- 
tion. In Workshop on Probabilistic Methods in Verification, PROBMIV’98, pages 
105-121, 1998. 

8. R. de Nicola and M.C.B. Hennessy. Testing equivalences for processes. Theoretical 
Computer Science, 34:83-133, 1984. 

9. A. Giacalone, C.-C. Jou, and S.A. Smolka. Algebraic reasoning for probabilis- 
tic concurrent systems. In Proceedings of Working Conference on Programming 
Concepts and Methods, IFIP TC 2. North Holland, 1990. 



P = {a-\-p c; b)\c 




150 



Manuel Nunez 



10. C. Gregorio, L. Liana, M. Nunez, and P. Palao. Testing semantics for a 
probabilistic-timed process algebra. In International AMAST Workshop on 
Real-Time Systems, Concurrent, and Distributed Software, LNCS 1231, pages 353- 
367. Springer, 1997. 

11. C. Gregorio and M. Nunez. Denotational semantics for probabilistic refusal testing. 
In Workshop on Probabilistic Methods in Verification, PROBMIV’98, pages 123- 
137, 1998. 

12. M. Hennessy. Algebraic Theory of Processes. MIT Press, 1988. 

13. C.-G. Jon and S.A. Smolka. Equivalences, congruences and complete axio- 
matizations for probabilistic processes. In CONCUR’90, LNCS 458, pages 367-383. 
Springer, 1990. 

14. K. Larsen and A. Skou. Bisimulation through probabilistic testing. Information 
and Computation, 94(l):l-28, 1991. 

15. K.G. Larsen and A. Skou. Compositional verification of probabilistic processes. In 
CONCUR’92, LNCS 630, pages 456-471. Springer, 1992. 

16. G. Lowe. Probabilistic and prioritized models of timed CSP. Theoretical Computer 
Science, 138:315-352, 1995. 

17. M. Nunez. Semdnticas de Pruebas para Algebras de Procesos Probabilisticos. PhD 
thesis, Universidad Complutense de Madrid, 1996. 

18. M. Nunez and D. de Frutos. Testing semantics for probabilistic LOTOS. In Formal 
Description Techniques VIII, pages 365-380. Chapman & Hall, 1995. 

19. M. Nunez, D. de Frutos, and L. Liana. Acceptance trees for probabilistic processes. 
In CONCUR’95, LNCS 962, pages 249-263. Springer, 1995. 

20. E.W. Stark and S.A. Smolka. A complete axiom system for finite-state probabilistic 
processes, 1996. 

21. C. Tofts. A synchronous calculus of relative frequency. In CONCUR’90, LNCS 
458, pages 467-480. Springer, 1990. 

22. R. van Glabbeek, S.A. Smolka, and B. Steffen. Reactive, generative and stratified 
models of probabilistic processes. Information and Computation, 121(l):59-80, 
1995. 

23. W. Yi and K.G. Larsen. Testing probabilistic and nondeterministic processes. In 
Protocol Specification, Testing and Verification XII, pages 47-61. North Holland, 
1992. 

24. S. Yuen, R. Cleaveland, Z. Dayar, and S.A. Smolka. Fully abstract characterizations 
of testing preorders for probabilistic processes. In CONCUR’94, LNCS 836, pages 
497-512. Springer, 1994. 




Verification of Hybrid Systems 



Frits Vaandrager 



Computing Science Institute 
University of Nijmegen 
P.O. Box 9010, 6500 GL Nijmegen 
The Netherlands 
Frits . VaandragerScs . kun . nl 



Abstract. The next stage of the computer revolution consists in the 
proliferation of sophisticated and cheap digital controllers into almost ev- 
ery aspect of man-made systems. Informatics is expected to shift its focus 
of attention from computers performing internal computations, or com- 
municating with human users and with other computers, toward com- 
puters interacting in real-time with physical processes. In such settings, 
the proper functioning of the whole system depends critically on the in- 
teraction between the discrete dynamics of the digital controller and the 
continuous dynamics of the environment in which it is embedded. Models 
of hybrid systems suggest a framework for modelling, simulation, verifi- 
cation, synthesis and implementation of such systems. 

The main activity of the Esprit LTR project VHS — Verification of 
Hybrid Systems — consists of analysing academic and industrial case 
studies, taken from the process control industry, in order to define for- 
mal models of plants. These models are then used to verify properties 
concerning their behaviour. The project uses, among others, the mod- 
els of timed and hybrid automata to express hybrid phenomena. Several 
tools for analysing systems expressed in this formalism have been built, 
and are used within the project for automatic verification. 

The VHS project started in 1998. The consortium is composed of five CS 
partners (Verimag, Weizmann, Nijmegen, Brics and Kiel), two chemical 
engineering and process control partners (Dortmund, LAG), two part- 
ners from control theory (CWI and Ghent) and three industrial partners 
(Sidmar, Nylstar, Krupp). 

In this talk, I will report on some initial results obtained by the project, 
and discuss the challenges ahead of us. 
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Abstract. We present a high level specification and refinement frame- 
work for concurrent real-time processes with strict message passing based 
on predicate transformer semantics. Four different parallel operators are 
defined and we investigate conditions under which they are monotone 
and associative. Refinement rules for single process components are de- 
rived. We also give rules and strategies for the development of a process 
from an abstract specification to a multi-component specification. This 
allows the individual refinement of process components under the main- 
tenance of the global process behaviour. A specification and refinement 
example is included to illustrate the refinement rules. 



1 Introduction 

Mahony jSj developed a specification and refinement framework for data-flow 
processes with predicate transformer semantics in the style of Morgan Enni. 
This framework focussed on the application to real-time processes. The central 
idea was to describe a data-flow, or as it turned out in many cases, a real-time 
process with two predicates called the assumption and the effect. Any features 
of the environment relevant to the process are specified in the assumption. The 
effect is used to describe the desired outcome of the process. In the assumption 
effect specification statement 

z[A,E] , 

z denotes a set of variables called the constructed variables, the assumption A 
is a predicate over the free variables w which must be disjoint from z, and the 
effect if is a predicate with free variables zUw. With disjointness of the process 
variable sets w and z, a conventional message passing model was evident; the 
environment supplies the processes input via w and the process supplies output 
values via z. Predicate transformer semantics for specification statements 

z[A,A](P) = AaVz(A^P) (1) 

were given in jOj and used to specify and refine real-time processes IlDllillllhllHIfij . 
This was in analogy to Morgan’s work with the difference that no zero- 
subscripted variables were used to represent values on the prestate. 



J.-P. Katoen (Ed.): ARTS’99, LNCS 1601, pp. 1 , 62- 11711 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 



A Parallel Operator for Real-Time Processes 



153 



This high level specification technique made it possible to integrate assump- 
tions on the environment into the specification of a process component. For 
instance, a process that receives binary input values over time and changes its 
output binary value if 0 comes in, can be specified with the help of the predicate 

if = ( z, w : IN ^ {0, 1} A Vn : IN • 

w{n) = 1 z{n + 1) = z{n) A w{n) = 0 =A z{n + 1) yf z{n ) ) 

and the specification statement z[true,E], If it is known that the environment 
provides only a selected set of input values w, for instance when w is stable for 
a certain period p € IN, we can incorporate this as an assumption A, 

A = ( w : IN — > {0, 1} A Vn : IN • 

w{n) ^ w{n -I- 1) (Vfc :IN*l<A:<p^ w{n + k) = w{n + 1) ) ) 

in the above specification statement and obtain z[A,E], 

Nevertheless, one of the major issues of this approach was how to define a 
parallel operator which was consistent with the above specification and refine- 
ment framework, such that different process specifications can be composed in 
parallel and independently refined. 

In many low level specification and refinement models it is common to restrict 
the language and the refinement notions to guarantee monotonicity and associa- 
tivity of the corresponding parallel operator. This prevents assumptions on the 
environment being included in the process specification Lamport’s 

refinement of TLA formulae is based on logical implication 0 with parallel 
composition being conjunction of TLA formulae [p. In TLA, any reasoning in a 
complex refinement relies on so-called assumption/guarantee specifications. To 
incorporate properties of the surrounding processes, assumptions are included 
in an ad hoc manner (see P Ths. 2, 3). CSP 0 and CCS are specification 
languages with refinement notions that are based on failures/divergences and 
bisimulation. Assumptions upon the environment are commonly incorporated 
using a dummy process that specifies the desired property. 

Motivation for this paper came from ongoing work on real-time processes 
with trace semantics ! 1 01 1 21 1 1 1412131 1 ™ and the search for a parallel operator 
which is consistent with the refinement and specification theory in PCSISj. We 
pursue two main goals: first, we recall and elaborate upon a promising specifica- 
tion and refinement theory || for data-flow processes with strict message passing; 
and second, we complete this theory by providing the notion of a parallel op- 
erator which resolves the above issues. We compare four different versions of a 
parallel operator and single out two appropriate candidates. Due to the general- 
ity of the approach, these operators are not necessarily monotone or associative. 
However, we will describe a natural design methodology for specification state- 
ments such that associativity and monotonicity are always maintained within 
refinements. 

The remainder of the paper is organised as follows. Section El reviews the 
central concept of a specification statement for data-flow processes. We pro- 
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vide predicate transformer semantics and characterise refinement of specifica- 
tion statements. The third section states central refinement rules for specifica- 
tion statements. In section 0, four different versions of a parallel operator for 
specification statements are defined. Monotonicity issues are studied and rules 
are stated for the partitioning of a process into several components. The corre- 
spondence to the classical notion of a specification statement and its extension 
to real-time is discussed in section 0 Associativity is in the focus of section 0 
Due to their generality, the parallel operators are not necessarily associative. We 
present obligations that guarantee associativity for parallel compositions. Sec- 
tion Q gives an example specification and refinement where the refinement rules 
and principles of the previous sections are applied. The paper concludes with 
final remarks in section 0 

2 Preliminaries 

Throughout this paper we assume familiarity with basic notions of the refinement 
calculus P3EI. By Predv we denote the set of all predicates over the variable 
set V. Predv is a complete lattice with ordering 

A^B m \fv{A B) . 

li A ^ B and B ^ A we write A = B. The set T{Predy,Predw) of all mono- 
tone predicate transformers S : Predy —>■ Predy, is a complete lattice with the 
refinement ordering m 

S' C r iff VP G Predy : S(P) ^ T{P) . 

In case S C T and T C S we write S □ T. 

The following semantics for specification statements is taken from j0|. 

Definition 1. Assume variable sets u, z and w, and predicates A G Predy,, 
E G Predy,-z, where w;z abbreviates the union of the disjoint variable sets w 
and z. The set of all specification statements z[A,E] shall be denoted by 

S{z,Predz-w) ■ 

The semantics of specification statements is given by the function 

Qz,w,u . s{z,Predz;w) ^T{Predu-,z,Preduuw) 
6>^’“’“(z[A,P])(P) = AA^ziE^P) . 

In the following, E^ denotes the closure of predicate E with respect to the 
variables z, i.e., E = 3z E, and w; z always denotes the union of disjoint variable 
sets. If w and z are not necessarily disjoint, their union will be denoted hy w\Jz. 

In a specification statement as above, the variables in z are called observ- 
ables or constructed variables of the process. Heuristically, they are constructed 
via the predicate E, called the effect predicate of the specification statement. 



A Parallel Operator for Real-Time Processes 



155 



The assumption A, a predicate with free variables in w, is used to incorporate 
assumptions on the environment into the process specification. The interface to 
the environment is provided by w. 

Another helpful identity is the following equality when the predicate trans- 
former is restricted to a smaller set of predicates with free variables in v C u, 

Furthermore, the following characterisation of refinement between specification 
statements will be one of our essential tools. 

Proposition 1 Let € Predw, Ei G Predw-z, i = 1,2. Then the following 
eonditions are equivalent 

i) El]) C E 2 ]), for some u with u fl z = 0 

ii) Ai A A 2 and (A 2 => E 2 ) {Ai => Ei) 

Hi) Ai A A 2 and {A\ A E 2 ) ^ Ei 

iv) El]) C E 2 ]), for all u with uCi z = % 

An important consequence of Proposition ^ is that S{z,Predz-^w) can be 
identified with a subset of S{z, Predz-v), as long as w C v and u fl z = 0. Note 
that this embedding preserves the refinement ordering given by C. 

Definition 2. For specification statements z[Ai,Ei] G S{z, Predz-w), i = 1)2, 
we write z[Ai,Ei] h z[A 2 ,E 2 ] ijff 0^’’"’®(z[Ai, Ai]) C 0^’“’®(z[A2, A 2 ]). When 
we do not intend to mention the predicate transformer we write z[Ai, Ei]{P) 
instead 0 / 0^’“'’®(z[A,, Ai])(P). 

Note that h defines a preorder on S{z,Predz-w)- H z[Ai,Ei] h z[A2,A2] 
and z[A2,A2] F z[Ai,Ei], we write the abbreviation z[Ai,Ei] = z[A2,E2]. 
Thus we distinguish between equivalence classes of specification statements in 
iS(z, Predz-w) / — , rather than specification statements themselves. The following 
commutative diagram states the correspondences between the involved monotone 
mappings for the case v C u. 




T{Predu-z,Preduuw) 

p{T) =3u\{vLiw) • T]pred^.^ 
T {Predv-z , Predyuw ) 



0"''^’\z[A,E]mod^) = A]) 



Note that for specification statements with the above semantics, 
z[A,E]{true) = A , z[A, E]{false) = ->{A^E^) . 
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Definition 3. A statement z[A,E] is called feasible if z[A, E]( false) = false. 
Otherwise, it is called infeasible. 

Hence we can say, z[A,E] is feasible iff A ^ if In a refinement it is often 
of no practical use to start with or refine to an infeasible specification. In order 
to reach an implementation it is desirable to work with feasible specifications 
mni. Nevertheless, that infeasible specification statements can be successively 
used in refinements was shown in EEH]. 

3 Refinement Laws 

This section presents basic refinement rules for specification statements with 
the above defined predicate transformer semantics. The majority of the rules 
have the form of characterisations, which means that the involved conditions 
are both necessary and sufficient for the corresponding refinement. Definition 0 
Propositions 00 and El can be found in altered or weaker versions in 0. 

If constructed variables are irrelevant to the outside view of the specification 
they can be hidden with the following technique. 

Definition 4. Let v, z and w be pairwise disjoint variable sets. For every spec- 
ification statement z,v[A,E] € S{z;v, Predz-v,w), we introduce the syntactic 
object z,v[A,E] \ {ri} and define its meaning by extending as follows, 

e^’'"’^{z,v[A,E] \ {^;}) = 

We say that v is hidden in z, v[A, E] \ {p}. This is a way of separating internal 
variables from output variables. It can be shown that any refinement relation 
remains valid under hiding. 

Proposition 2 Let z[Ai,Ei] G S{v; z, Predy.^z-^w), * = 1,2. Then, the relation 
6>^;"’’"’"(z,r;[Ai,£;i]) C r>[A 2 , Sa]) implies 6>^’’"’“(z, p[Ai, Si]\{u}) C 

0^’'^’^{z,v[A2,E2]\{v}). 

A specification statement with hidden variables can be rewritten as a pure 
specification statement. The following proposition states that hiding of observ- 
ables is nothing else than hiding in the effect predicate using the existential 
quantifier. 

Proposition 3 0^’“’“(z, u[A, if] \ {u}) □ 0^’’"’“(z[A, A^j), for A £ Predw and 
E G Predy.^z'.w ■ 

As a consequence of Proposition 0 we obtain the following proposition for 
introducing fresh variables to a specification. 

Proposition 4 (Introduce Variable) Let {z]w) C\v = %, A G Predw and E 
G Predzu-z- Then, 0^’’"’“(z[A, A]) □ 0^’'"’^{z,v[A, E] \ {p}). 
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Weakening of pre conditions and strengthening of post conditions are two 
well-known refinement strategies in the conventional refinement calculus m 
Their equivalents in the data-flow setting are the following rules for weakening 
assumptions P and strengthening effects. 

Proposition 5 (Weaken Assumption) Let Ai G Predw, i = 1,2 and E G 

Predw-z- Then, z[Ai,E] h z[A2,E] iff Ai P A2. 

Proposition 6 (Strengthen Effect) Let A G Predw, Ei G Predw-z, z = 1,2. 
Then, z[A, E{\ h z[A, E2] iff {E2 A A) ^Ei. 

From the previous result we deduce the following special case. It expresses 
refinement without respecting any properties of the environment. 

Corollary 1. z[true,Ei] h z[true,E2\ iff E2 di Ei. 

In this special case refinement is logical implication of the underlying formulae. 

Rules for splitting a specification statement into a sequence of specification 
statements are handled in ng and in |t)l I iS) for real-time processes. We men- 
tion the central rule that concerns the sequential composition of specification 
statements. 

Definition 5 . For {z\] w\) fl Z2 = 0 , the operator 

: S{zi,Pred,zi-wi) x S{z2, Predz^-zo2) ^ S{zi; Z 2 , Pred,zi-,z2-,{wiUw2)\zi) 
zi [Ai, Ei\ § Z2IA2, E2] = zi,Z 2 [Ai A Vzi(Ei A2), E\ A E 2 \ 

defines the sequential composition of specification statements. 

Let the operator o denote the common sequential composition of predicate 
transformers. It is helpful to recognise what sequential composition of specifica- 
tion statements means in terms of the underlying predicate transformer seman- 
tics. 

Proposition 7 Let Zi[Ai, Ei] G S(zi, Predz-wi)- * = 2, with (zi; wi) 1 TZ 2 = 0. 

Then, with ui = W2\ zi and w = (u>i U W2) \ -Zi, the following identity is valid 

0Z1 , El] § Z2 [^2 , (zi [Ai , Ei] ) O 0^^ (z2 [A 2 , E 2 ] ) . 

We can conclude that _ § _ is a monotone operator in both arguments and 
thus invariant under equivalence = of specification statements. 



4 The Parallel Operator 

Two major issues with respect to any parallel operator within a refinement 
are: the partitioning of a system into several parallel conjoined components; 
and the refinement of the individual components separately. With a monotone 
parallel operator, any individual component can be refined separately and the 
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conjunction of the resulting specifications is a refinement of the entire system. 
In this section we present four different notions for the parallel composition of 
several assumption-effect specification statements. 

Let us begin with a few heuristic observations. Assume that we have two 
processes pri and pr2 with input w and outputs zi and Z2, respectively. Further 
assume that they communicate with each other via the variables zi and Z2 ■ When 
represented as specification statements they may have the form Zi[Ai, Ei], i = 1,2 
with predicates Ai G Predw-,z2i ^2 G PTedw-,zi and Ei G Predw-,zr,z2- What is 
the specification statement of their parallel composition? Due to the generality of 
our approach with arbitrary assumption predicates and the underlying predicate 
transformer semantics there is no ultimate answer to this question. We favour 
the predicate 

A\ A A2 

as the resulting assumption on the environment when pr\ and pv2 are joined. In 
calculating the effect of their parallel composition both individual effect pred- 
icates must be considered and, importantly, also A\ and A2 could induce as- 
sumptions on Z2 and z\ and thus have to be respected as well. In our approach, 
we will take either 



A\ A A2 A El A E2 
or 

(Ai ^ El) A (A2 E2) 

as the effect predicate of the parallel composition of pri and pv2 ■ 

Definition 6. For i G {1,2, 3, 4} the parallel operators on specification state- 
ments 

-I |z- ■ ^(-^1 j Predz-, -,W-1\Z2) ^ ^ (-^2 ; P‘^^dz2‘,W2 \Z\ ) ^ ^(-^1 5 ^2 1 Predz^ ■,Z2',W-iU'W2 ) 

are defined by zi[Ai,Ei]\\iZ2[A2 ,E2] = zi, Z2[Ai A A2^^^'^ , Ai f\ A2 A Ei f\ E2] 
Zl[Ai, Ei]\\ 2Z2[A2, E2] = Zi, Z2 [ Ai A A2 , (Ai => El) f\ {A2 => E2)] 

Zl[Ai,i?i]jj 3 Z 2 [A 2 ,i? 2 ] = ^1;^2[ Ai V A2 ^ ^ , {Aj => El) A {A2 => E2)] 

^i[Ai,i?i]jj 4 Z 2 [A 2 ,i? 2 ] = ^i,^ 2 [AiVA 2 , Ai A A2 A i?i A A2] . 

These operators are defined using two well-known principles: hiding and con- 
junction. Hiding of observables is used to specify the assumption of the parallel 
composition. Conjunction is used to define the assumption and effect predicates 
of the parallel composition. Undoubtedly, conjunction constitutes the abstract 
principle behind parallel composition without incorporated assumptions on the 
environment When assumptions are included in specifications, it be- 

comes necessary to combine two assumptions into one assumption for the entire 
process. We do this by conjoining the individual assumption predicates and by 
hiding the observables. 

All parallel operators are clearly commutative. A more subtle issue is whether 
they are monotone, associative and invariant under equivalence = of specification 
statements. 
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Proposition 8 (Monotonicity) The parallel operators H2 and H3 are mono- 
tone in each argument with respect to the ordering h on specification statements. 

Without any restrictions on the involved predicates, parallel composition 
with _||i_ or _||4_ is not monotone with respect to the refinement ordering on the 
individual components. Nevertheless, as long as we obey certain design rules for 
the involved predicates, monotonicity can be ensured. 

Proposition 9 (Monotonicity of ||i) Let zi[Aij,Eij] G S{zi, Predzi-^wi-.z^) 
and Z2[A2j,E2j] G S{z2, Predz2-,w2\zi) , j = 1 ) 2 . Assume further that Zi[An, En] 
h Zi[Ai2, Ei2], i = 1 , 2 . Then, the following two properties are equivalent. 

i) Zi[Aii, Eii]\\iZ2[A21, E21] b Z j[A i2, E ^2]\\iZ2[A22, E22] 

ii) Ai 2 a A22 A E12 A E22 A An A A21 A: An A A21 

The above stated obligation ii) characterises monotonicity of the parallel op- 
erator -111-. Note that -H4- obeys a similar monotonicity rule to -||i-. From this 
abstract condition more practical monotonicity rules can be deduced. For exam- 
ple, -111 - is monotone if the individual components are refined by strengthening 
effect predicates using Proposition El 

From the above monotonicity principles it is possible to deduce the invariance 
of the parallel operators with respect to equivalence of specification statements. 

Corollary 2 . For specification statements zi[Aji,Eji] G S{z\,Predz.,^-,wr,z2)j 
Z2[Aj2,Ej2\ G S{z2,Predz2;w2-,zi), j = 1 , 2 , with Zi[Au,Eii] ^ z^[A2^,E2i] we 
haue, zi[An,En]\\iZ2[Ai2,Ei2] = ^i [^21, ff2i] ||i22[^22, ^^22] , 1 < ^ < 4 . 

If the assumptions do not refer to any constructed variables, parallel composi- 
tion with -I |i-, i = 1, 2, is the same as conjoining the assumptions and conjoining 
the effects. 

Corollary 3 . If Z2 does not occur free in Ai and zi does not occur free in A2, 
then zi [Ai , Ei] \ \ iZ2[A2, E2] = zi, Z2[^i A A2, Ei A E2], i = 1 , 2 . 

In parallel compositions with -| 1 1 - an implicit causal dependence is introduced 
that constrains the effect predicates. Note the equalities 

zi[Ai,Ei\\\iZ2[A2,E2] = zi[Ai , A 2 f\ Ei\\\iZ2[A2 ,Aif\E2] ( 2 ) 

= zi[Ai, A2 h Ei\\\iZ 2 [A 2 , Ai A E2] . 

Causality is an important issue because of the impact of the surrounding pro- 
cesses on each individual component. Within refinements, these dependencies 
may be extremely helpful and thus play an essential role for well-designed spec- 
ifications (see section EJ • The refinement of a process component may only be 
possible under those side-conditions provided by the surrounding processes. The 
notion of causality can be defined for more than two predicates: 

Definition 7 . The predicates Ai,Ei G Predw,Ui<j<nZj , 1 < i < n are called 
causal (with respect to Zi, I < i < n) if Aj^i{Ej A Aj) A Ai ' , for all i G 
{l,...,n} . 
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Recall our simple binary-valued real-time process from the introduction. We 
now consider what happens if we compose two processes z[true,E] in parallel 
and connect them via z and w. Let F denote the predicate E[w/z,z/w] that 
results from E by swapping z and w. Then, we obtain the parallel composition 

z[true,E\\\iw\trueTF\ = z,w\true^E t\ F\ , ie{l,2,3,4} 

Note that E A F defines the set of input/output pairings {{a,a),{b,b),{c,d), 
(d, c)}, where a = 11111..., b = 01111..., c = 10111..., and d = 00111.... 

Let us introduce a nontrivial assumption predicate that is defined by A = 
{w G {a, b, c, d}) . In other words, if z is hidden in if A T" we get A. Straight from 
the definition of the parallel operator we then obtain the following identities. 

z[A, E]\\iw[true, F] = z,w[A ,EAFAA] = z,w[true, E A F] 

= z[true, E]\\iw[true, F] , i=l,4 

z[A, E]\\iw[true, F] = z,w\^ , {A =A E) A F] = z,w[true, {A ^ E) A F] 

= z[true, A ^ E]\\iw[true, F] , z = 2,3 

By the definition of the parallel operator, any statement zi, Z 2 [Ai A A 2 , ifi A £^ 2 ] 
with Ai G Predw-,z 2 i ^2 € PTedw-,zi and £i ,£2 G PTedyj-^zr,z 2 i trivially refines to 
the parallel composition zi [Ai , £ 1 ] 1 1 1 Z 2 [A 2 , £ 2 ] . The component zi [Ai , £ 1 ] takes 
Ai as an assumption on its environment, but the effect of process Z 2 [A 2 ,£ 2 ] 
is not incorporated. We will investigate the effect of component Z 2 [A 2 ,£ 2 ] on 
component Zi[Ai,£i] and prove that it is possible to incorporate the effect 
of the sibling component if the original specification is feasible. In such cases, 
the refinement remains valid with much stronger assumptions in the individual 
processes as stated in the following rule for splitting a process into the parallel 
composition of several components. 

Proposition 10 (Splitting with ||i) Let w, zi, Z2 be pairwise disjoint, Ai,E2 
G Predw,z2: A2,Ei G Predw,zi and £i,£2 G Predw-zi-z2 and E = Ai A A2 A 
£1 A £2 A £1 A £2 . Then the following two conditions are equivalent 
i) z\, Z2\A\ A A2 , £] b zi [Ai A £2, £1 A £1] I |iZ2[A2 A £1, £2 A £2] 
li) A < (Ai A £2)"' A(A 2 A£i)"^ 

In any case we have the converse refinement 

zi [Ai A £2, £1 A £1] I I1Z2 [A2 A £1 , £2 A £2] b z\,Z2{A\AA2 ,£] 

Strengthening assumptions with effects of the sibling processes as above is 
possible when dealing with the entire process, because a parallel composition 
may rule out certain behaviours of the individual components. 

5 Classical Theory and Real-Time Trace Semantics 

In this section we explain how the classical specification and refinement theory 
H3 and its real-time extension |t)l I Sj can be embedded into the context of the 
previous sections. 
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Definition 8. Letw,z,zo be disjoint sets of variables, where zq denotes the set 
of all 0-indexed copies of variables in z. Let A G Predz-,w, E G Predz-^zo\w- The 
set of all objects of the form z\A,EY^ shall be denoted by S‘^^‘ {z, Predz-zo-,w) ■ The 
semantics of a specification statement z[A,EY^ is given by the mapping \1 

^z,w . s‘^\z,Predz-zo-,w) ^E^Predz-w^Predz-w) 
S^^'^{z[A,Ef){P) = Ah\/z{E^P)[z/zo] 



The correspondence between a classical specification statement and a speci- 
fication statement as used in this paper is depicted in the following commutative 
diagram. 



yi{z[A,EY^) 



S‘^\z,Predz-zo-,w 
= z[A[zo/z\,E] 
Predz-ZQ\w) 







QZ,Zq\W,^ 



e e{T){P) = T{P)[zo/z] 
E i,Predzu\z^ E^^dzu-,zo) 



The common sequential composition of specification statements usually de- 
fined via the composition of the underlying predicate transformers can be also 
defined at the syntactic level. 

Definition 9. Let z , zq,w be disjoint sets of variables, where zq denotes the set 
of all 0-indexed copies of variables in z. The operator 

4_ : S'^\z,Predz-zo-,w) x S^‘{z,Predz-zo-,w) —> {z, Predz-,zo-,w) 

z[Ai,EiYiz[A2,E2f = z[Ai A Vz(Si ^ A2)[z/zo],Ei[h/z] A E2[h/zo]''Y' 

defines the sequential composition of specification statements with 0-indexed vari- 
ables in the classical sense. 

Thus, the semantics of sequential composition of specification statements is 
nothing else than sequential composition of the underlying predicate transform- 
ers. Note also that sequential composition in the classical sense can be expressed 
with the previously introduced sequential operator _ | 

Proposition 11 The sequential composition operators - % 4- (I'nd _ o _ are 

related as follows, 

i) E^’'^{z[A^,EiY^zz[A2,E2YY^E-'"i.z[A^,EiYY°E^’"i.z[A2,E2YY) 

a) p.{z[Ai,EiYHz[A2,E2Y’’) = {h[^i[^o/z\,Ei[hlz\Ygz[A2[h/z\,E2[hlzo]])\{h} 

So far, we have seen that everything introduced in the previous sections can 
be expressed in the classical context HS| and vice versa. It remains to define the 



162 



Karl Lermer 



real-time extension |oi I is| of the classical specification statement which makes it 
possible to apply all previously introduced operators to real-time specifications. 
We assume the following abbreviations, 

stable{v, I) = Vzi, G I • v(i 2 ) = v(ii) 

A{p) = damp = 0 . . . r 

E{p, z) = To < T A damp = 0 ... t A po = (0 . . .tq) <p A stable(p \ z,tq . . .t) 



Definition 10. Let p, w be disjoint sets of variables with a distinguished time 
variable t oecurring inp. The variables p\{r} shall be denoted byp. We assume 
that p eonsists of trace variables ranging over time r. As above po denotes all 
0-indexed copies of variables in p. Let A G Predp.^w, E G Predp-^pg-^w . The set 
of all real-time specification statements of the form {p} * z[A, E] with z p, is 
denoted by S'" (p, Predp-^pg-w) and its semantics is given in terms of the classical 
semantics m, 



: SAp,Predp,pg,^) ^ S^\p,Predp.pg.^) 

7TP'-({p} *z[A,E])= p[A A A{p),E A E{p, z)f 

The sequential and parallel composition operators _| | for real-time spec- 
ification statements are defined by transformation into the classical context. 

7TP-’"({p} * z[A, E]l{p} ^v[A,E])^ if]) f * v[A, E]) 

Let p, q be variable sets with pH q = i!) and i S {1, 2, 3, 4}. Then, 

iTPU«’"'(M * zi[Ali, Si] 11 , {g} * Z2IA2, E2]) = 

/r(iTP’’"({p} * zi[Ai,Ei])) \ {r} ]]* p(iT«’“({g} * Z 2 [^ 2 , ^^ 2 ])) \ {r} ) 

The sequential composition of several real-time specification statements de- 
termines the involved traces on consecutive time intervals. This can be seen with 
the following simple example where the trace z : IN — > ^ is defined for the val- 
ues 1 and 0 by two specification statements in sequence and r ranges over IN. 
By applying Props. 0 and mi and abbreviating Tr = po ij{^>'^L0 obtain 

Tr({z, r} * z[t < 1, z(l) = 0 A r < 2] g {z, r} * z[r < 2, z(2) = 1 A r > 2]) 

= Tr({z, r} * z[r < 1, z(l) = 0 A z(2) = 1 A r > 2]) 

6 Associativity 

Associativity holds for the parallel operator of many well-known specification 
and refinement frameworks IVlilililiV). This is guaranteed because no assump- 
tions are incorporated in the specifications of process components. In our high 
level model the parallel operators _jji_ and _j] 2 - are not associative due to the 
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generality of the underlying refinement notion. The ability to incorporate ar- 
bitrary assumptions in specification statements adds much complexity to the 
specification model and causes the loss of associativity. 

We investigate associativity of _||i_ in detail and introduce what we will call 
perfect specification statements. The notion of perfect specifications proves to be 
central for the associativity of maintaining and creating perfect specifica- 
tion statements during the refinement guarantees associativity in every parallel 
composition. We will also see that associativity relies on causality and feasibility 
assumptions on the involved specifications. Thus, a careful design during the 
refinement ensures associativity in parallel compositions with _| 1 1 _. Associativity 
criteria for _||2- are more complicated and will not be discussed here. 

As a first step, we investigate associativity on parallel compositions of three 
specification statements. 

Proposition 12 For z^[A^,Ei\ e i = 1,2,3, the par- 

allel compositions (a) {zi[Ai,Ei\\\iZ 2 [A 2 ,E 2 \)\\iZz[A^,E^], 

{h) zi[Ai,Ei\\\i{z2[A2,E2]\\iZ3[A'i,E^]) and 

(c) (zi[Ai, Ai] || iZ 3[A3, As])! | iZ2[A2, A2] are equal w.r.t. = iff the following 
predicates are equivalent 

(a') (iTTln"' 

m (ATaIH"' (3) 

(c') (ATaAT^"' 

From Proposition we know that three specification statements Zi\Ai,Ei], 
i = 1,2,3, are associative if the predicates in o are equivalent. Thus, asso- 
ciativity is a property that relies only on the involved assumptions. Informally, 
associativity holds if A\ and A2 make no contradictory assumptions on Z3, if A2 
and A3 make no contradictory assumptions on z\ and if A\ and A3 make no 
contradictory assumptions on Z2- 

The above observations inspire the following definitions. To generalise Propo- 
sition for more than three specification statements we use the abbreviation 



(...((A,/^= AA,/‘^) a a. 



’■) A ... ) AAi, 



Note, that under the assumptions of Prop. El the predicates 2?(i,2,3) [(Ai)3<^<g], 
2^(2, 3.1) [(^*)i<i<3] and 2?(i,3.2)[(Aj)i<i<3] denote the predicates (o'), (b') and 
(c') of (0. 

Definition 11. Assume pairwise disjoint variable sets Zi and predicates Ai G 
Predyj-^yj^^^zj ; Pi ^ P^^dzu-^\jjZj ^ 1 ^ ^ ^ 

(a) The predicates Ai, 1 < i < n, are called associative (w.r.t. Zi, 1 <i <n) 
if the predicates 



> (A, --An) permutation o/{l,...,n} 
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are all equivalent. They are called perfect (w.r.t. Zi, 1 < i < n) if for every 
l<l<n, l<i<n and natural numbers 1 < ii < i 2 < ■■■ < ii < n the 
following equality holds 






A A; 



= ( ^l<k<l^ik ) A ^ ‘ 



(b) The specification statements Zi[Ai,Ei], 1 < i < n, are called perfect if 
for every set M C the specifications Zi[Ai,Ei], i G M are associative 

under the parallel operator _||i_ and their composition equals 

[AjgM^i T t\i^M{Ai /\ Ei)] 



In case (b) we will speak of the parallel composition of Zi[Ai, Ei], 1 < i < n 
and denote it by \\ii G M : Zi[Ai.,Ei]. 

Obviously, if Ai G Predw-,z 2 i ^2 G Pfedw-,zi, Ei,E 2 € Predw-,zr,z 2 i the two 
specifications zi[Ai,Ex], Z 2 [^ 2 ,^^ 2 ] are perfect. 

With the above notations we can generalise Proposition El and formulate 
the correspondence between associative (perfect) specifications and predicates. 

Proposition 13 (Associativity for ||i) The specifications Zi[Ai,Ei], 1 < i < 
n, are associative (perfect) under _||i_ iff the predicates Ai, 1 < i < n are 
associative (perfect) with respect to Zi, 1 < i < n. 

To have maximal control at each design or refinement level it is desirable to 
work with perfect specifications. Therefore arguments are required that ensure 
perfect specifications in refinements. Of course, an immediate resolution of this 
issue is to drop all assumptions. If all assumptions are true, then associativity is 
no issue any more: the parallel operators are associative without any restrictions 
on specifications with true assumptions. We can extend this trivial observation 
for assumption predicates that do not refer to any of the observables: 



Proposition 14 If Ai G Predw, Ei G Predw-Ui<j<nZj , then the specifications 
Zi[Ai,Ei], 1 <i <n, are perfect. 

We proceed with two simple observations concerning the creation of perfect 
specifications with the monotonicity laws. Props. El andIHl 

Proposition 15 Let Zi[Ai,Ei], 1 < z < n, be perfect specifications. 

i) If zi[Ai,Ei] h z\[Ai,E[] then the specifications z\[Ai,E'f\, Zi[Ai,Ei], 2 < 

1 < n are perfect with 

llil <i<n: Zi[Ai,Ei] h zi[Ai, E[]\\i{ ||i2 < i < n : Zi[Ai,Ei] ) . 

a) If Ai = A\ A Al (neither A\ nor A\ refers to zi = z); zl) and zi[Ai, Ei] h 
II 1 Z 2 [^ 2 > ^ 2 ] then the specifications z)[Al,E)], i = l,2, Zi[Ai,Ei], 

2 < i < n are perfect with 

llil <i<n: Zi[Ai,Ei] h z\[A\, E\]\\izI[A\, El]\\i{\\i2 < i < n : z^[A^,E^] ) 
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Obligation i) states that perfect specifications are stable under strengthening 
postconditions and obligation m) is a simple rule to increase the number of perfect 
specification statements by splitting assumptions. 

Causality, as defined in Definition 0 and feasibility under certain conditions 
guarantee perfect specification statements. The following proposition explicitly 
states these conditions for parallel compositions of three perfect specification 
statements. 

Proposition 16 Three specifications Zi[Ai,Ei], i = 1,2,3, are perfect if the 
predicates Ai,Ei i = 1,2 are causal with respect to Z\,Z 2 and if each of the spec- 
ifications Zi[A^,Ei\, 1 = 1,2, {zi[Ai,Ei]\\iZ 2 [A 2 ,E 2 ])WiZ'i[A'i,Efi\ is feasible. 

With Propositions 0 and 1 1 li we can derive the following monotonicity law 
that reflects a refinement process beginning with one, then two and finally three 
specification statements with nontrivial assumptions. 

Corollary 4. Assume feasible specifications Zi[Ai,Ei], i = 1,2, with causal 
predicates Ai G Predw-,Z 2 > ^2 G Predw,zi, ^ Pi"edw-,zi-,z 2 > * = lj2, and fea- 
sible composition zi[Ai, Ei]\\iZ 2 [A 2 , E 2 ]. Assume further disjoint variable sets 
z\, with zi = (zl;zl) and predicates A\ G Pred^.;..^.;,! , A\ G Pred.^y^^.,, 1 , 

Ej G Prednj-z 2 -,zi, i = 1,2. If zi[Ai,Ei] h zl[A\,El]\\izl\A\,El] and Ai = 



A\ A A _2 , then the specifications Z 2 [A 2 ,E 2 ], z}[Aj , Ej], i= 1,2, are perfect 
and zi[Ai,Ei]\\iZ 2 [A 2 ,E 2 ] b zl[A\, El]\\iz^[Al, E^]\\iZ 2 [A 2 , E 2 ] ■ 

We may split a feasible specification statement z[A,E] into two components 
with causal predicates, zi[Ai,Ex\ and Z 2 [A 2 ,E 2 ], via equality J2|) in section 0 If 
the resulting two components are feasible then we may refine them individually 
by strengthening postconditions as in Proposition 0 Corollary 0 ensures that 
the resulting specifications are perfect. 

Thanks to the V-operator in the assumption predicates, parallel composition 
with _|| 3 _ and _|| 4 _ is always associative. 

Proposition 17 The parallel operators _|| 3 _ and _|| 4 _ are associative. 

7 Example 

In a simple case study we show how the rules of the previous sections can be 
used to refine a single specification statement to a multi-component specifica- 
tion. For more complex examples about the sequential refinement of specification 
statements in the real-time setting we refer to |i 1110112151 . 

A process should compute repeatedly the mode value of six binary input 
values ini, ine and output this value after three time units. If more than two 
inputs are 1 then the output will be 1. The effect 



E = ( out : IM — > {0, 1} A ( Vn : IN» out{n-\-3) = 1 



\{i»ini{n) = 1}| > 3 ) ) 
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will be achieved under the assumption that the environment never supplies odd 
numbers of 0 and 1 at any time, as in the following. 

6 

A = { ini, in& '■ IN ^ {0, 1} A ( Vn : IN • 0 = ini{n))mod2 ) ) 

i=l 

The specification of the entire process can be given as out\A,E]. To split 
this specification further into three components we introduce the following new 
effect predicates: 

Eq = { out : IN — > {0, 1, T} A out{0) = out{l) = 0 A ( Vn : IN • 

( out{n + 2) = 0 0 < hi{n) + h 2 {n) < 3 A out{n + 2) = 1 

3 < hi{n) + h 2 (n))) ) 

El = {hl■.m^ZZ^ /ii(0) = 0 A (Vn : IN. 

hi{n + 1) = mi(n) + in 2 {n) + inzin) ) ) 
i ?2 = ( : IN — > ^ A /i2(0) = 0 A ( Vn : IN • 

h 2 {n + 1) = fn 4 (n) + inz{n) + in^{n) ) ) 

The variables hi and /i 2 are initialised by 0 and then set to the sum of ini, in 2 
and inz, respectively iu 4 , in^ and in^. In Eq, the output set for out is increased 
by T to denote an input failure in the cases + /i 2 = 3 and hi + h 2 < 0. Note 
that this can never happen under assumption A, nevertheless it increases the 
usability of the process component if A is removed. 

The internal variable set shall be abbreviated by IV. Then, the 

refinement 



out[A, E] h out, hi, h 2 [A, Eq f\ Ei f\ E 2 ] \ IV 

holds because oi A I\ Eq I\ Ei I\ A E , and Propositions E] El and 0 For 

this refinement step we obviously need the assumption A on the environment. 

We proceed with 

out, hi,h 2 [A, Eq A El A E 2 ] 

{Prop. E3} = out[A A El A E 2 , EQ]\\ihi, h 2 [A, Ei A E 2 ] 

{Def. of 111} ^ out[AAEiAE 2 ,Eo]\\i{hi[A,Ei]\\ih 2 [A,E 2 ] ) 

{Prop. UBti-i)} = out[A A El A E 2 , EQ]\\ihi[A, Ei]\\ih 2 [A, E 2 ] ■ 

Next, the process out[A A Ei A E 2 ,Eq] will be split into 2 components, 

Ez = { out : IN ^ {0, 1, T} A out{0) = 0 A ( Vn : INdoti 

( out{n + 1) = 0 0 < pr{n) < 3 A out{n + 1) = 1 

3 < pr{n) < 6 ) ) ) 

if 4 = ( pr : IN — ^ A pr(0) = 0 A ( Vn : IN • 

( ( ft.i(n) < 0 V ft. 2 (n) < 0 ) ^ pr{n + 1) < 0 A 
( /ii(n) > 0 A h 2 {n) > 0 ) pr{n + 1) = hi{n) + h 2 (n ) ) ) ) 
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With these new predicates we obtain A A i?i A i?2 A i?3 A A Eq. Hence, 

out[A A El A E2 ,Eq] 

{ Props. 0 El 0 I" out,pr[A A El A E2 ,Es A E4] \ {pr} 

{Def. of 111 } = {out[AAEi A E2, E3]\\ipr[A, E4] ) \ {pr} 

{Props. E 10 h {out[A,E3]\\ipr[A,E4])\{pr} . 

The whole refinement chain can now be stated as 
out[A, E] 

h out, hi, h2[A, Eq A El A E2] \ IV 
= ( out\A A El A E2, Eii\ Ill/ll [A, Ei\ \ I1/12 \A, £^2] ) \ IV 
{Prop. EH- b {{out[A, E3\\\ipr[A, Ei] ) \ {pr}||i( £i]||i/i2[H, £2 ] )) \IV 
{Prop.Elj- h (oMt[H,£ 3 ]||ipr[H,£ 4 ]||i/ii[H,£i]||i/i 2 [H,£ 2 ] ) \ {IV U {pr}) . 

8 Conclusions 

We have extended the specification and refinement calculus |!llt)l I Sj by provid- 
ing more refinement rules and a parallel operator notion for specification state- 
ments. Due to the generality of the underlying specification and refinement no- 
tion, parallel composition is not necessarily associative or monotone. However, 
we described a design methodology for specification statements that guarantees 
monotonicity and associativity in parallel compositions and their refinements. 
We introduced the notion of perfect specifications and pointed out how this 
guarantees associativity during refinements with nontrivial assumption predi- 
cates. 

Many well-known specification and refinement models restrict 

their language and refinement notions to guarantee monotonicity and associa- 
tivity. There is a common recipe for this: process specifications make no assump- 
tions on the environment. In analogy to standard low level parallel operators, 
_||i_ is monotone and associative when no assumptions occur in the specification 
statements (see Props. H EH). Nevertheless, the power to incorporate assump- 
tions in process components in the very abstract level of a refinement process 
justifies the loss of monotonicity or associativity of the parallel operator: if a de- 
sign methodology for specifications can guarantee monotonicity and associativity 
there is no need to ensure both desired principles in the general case. 

Note that there is no unique definition of the parallel operator and there are 
several candidates with properties of varying desirability. It seems that there is 
no ultimate answer to the issue of a parallel operator in the predicate transformer 
setting. In this paper four different operator notions have been investigated. We 
are in favour of the operators _||i_ and _||2- where the former probably has bet- 
ter features than the latter. The operator _||2_ behaves very similarly to -||i-. 
In general, it lacks associativity and obeys similar refinement laws. It is mono- 
tone and weaker than _||i_, i.e., zi[Hi, £i]||2Z2[H2, £2] b zi[Ai, Ei]\\iZ2[A2, E2]. 
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Nevertheless, the splitting into process components and the formulation of asso- 
ciativity criteria turn out to be more complicated than for _| |i_ in Proposition II 01 

and El 

Thanks to the V-operator, _|| 3 _ is associative and monotone. But _|| 3 _ and 
_|| 4 _ fail to abort the entire process if one of the sibling processes aborts, i.e., 
zilfalse, Ei]\\3Z2[A2, E 2 ]{P) = A Vzi, Z 2 ((A 2 E 2 ) =» P) and 

zi[false,Ei]\\3Z2[A2,E2\{P)= ^ 2 ^"^ ■ 

The individual features of the different parallel operators are listed in the 
following table. 



Operator 


monotone 
w.r.t. h 


associative 


abort abort 
= abort 


splitting into 
components 


invariant 
w.r.t. = 


111 


no/PropB 


no/PropEI 


yes 


easy /Prop El 


yes/Prop|2 


II 2 


yes/PropIS 


no/complex 


yes 


complex 


yes/PropE 


3 


yes/Prop|H 


ves /Prop 117 


no 


complex 


yes/PropE 


Ik 


no 


ves /Prop 117 


no 


complex 


yes/PropE 
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Appendix: This appendix contains the proofs of the main propositions. 

Proof of Proposition ^ i) ii): The first part, Ai A A 2 , is a consequence of 
&^’'^’’^{z[Ai, Ei])(true) ^ i? 2 ])(i™e). For the remaining assertion 

note the following equivalences for P G Predu-z- 

0"'™>"(z[Ai,i?i])(P) A 0^’^’^{z[A2,E2]){P) 

Ai A Vz(^Ei VP) ^ A 2 A Vz(^E2 V P) (4) 

We proceed by contradiction and assume ~<Vz,w {A 2 =A E 2 ) {Ax =V Ex) . 
Hence, by setting Q = {Ax A ^Ex A E 2 ) we can find bindings a, b for z, w with 

Q{a, b) = true . 

By setting Pq = {z ^ a) we obtain a predicate in Predz, but the identities 

{Ax A Vz{-'Ex V Pq)) {b) = true , {A 2 A Vz(^i ?2 V Pq)) {b) = false 

are in contradiction to @. For implication ii) ^ iv) assume Ax ^ A 2 and 
{^Ex A Ax) ^ (^i ?2 A A 2 ). Then, for u with u(l z = 0 and P G Predu-z, 

0^’^’^{z[Ax,Ex]){P)=AxAVz{Ex=>P) = Ax AVz{Ax A {P V ^Ex)) 

= A Vz((Ai AP)V {Ax A ~^Ex)) 

A A 2 A Vz{{A2 a P) V {A 2 A ^E2)) 

= e^’^’^{z[A2,E2]){P) 
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The equivalence ii) iii) is a trivial tautology and iv) i) is obvious. □ 

Proof of Proposition 0 Hiding V means restricting the predicate transformer 
to Predu-z- For P G Predu-z, 

= haVz,u(^f;vp) = H A Vz((Vu-F;) V P) 

= H A ^ P) 

= z[A,'W]{P) □ 

Proof of Proposition 0 According to Proposition^], z[Ai,E] h z[A 2 ,E] is equiv- 
alent to Ai A A 2 and A 2 ^ E < Ai => E which implies the assertion. □ 

Proof of Propositional According to Proposition^ Zi[Aii,En] h Zi[Ai 2 ,Ei 2 ] is 
equivalent to the two conditions 

Ail A Ai 2 ( 5 ) 

Ai2 ^ Ei2 a Ail ^ E^i (6) 

for i = 1,2. By definition, we get for the above parallel compositions, 

2i[Aii, Pii] || iZ2[A2i, P 21 ] — 2 : 1 , Z2[Aii a A 21 , All A A 21 A Pii A P 21 ] 
2i[Ai2, P 12 ] ||i^2[A22, P 22 ] — 2 : 1 , Z2[Ai2 A A 22 , A 12 A A 22 A Pi2 A £^ 22 ] 

Once more with Proposition H we see that the refinement 

Z:i[Aii,ifii]||iZ2[A21,if2l] F Zl[Ai2,Pl2]||l^2[A22,p22] (7) 

is equivalent to the two conditions 

{AiiAA2if^^ A Ai2AA22'^'^ (8) 

A12 A A22 ^ (Ai 2 a A22 A P12 A E22) ( 9 ) 

A All A A21 => (All A A21 A Pii A P21) 

The first property (0 is satisfied because of 0. The second condition 0, under 
our assumptions, is obviously equivalent to O- By using the condition 0 and 
the conditions o and (0, it can be checked that the condition (EJ is equivalent 
to property ii). □ 

Proof of Proposition inn According to definition, 

zi [Ai A E2 , El A Pi] II 1 Z2 [A 2 A El , E2 A P 2 ] 

= zi , Z2 [Ai A E2 A A2 A El , Ai A A2 A Pi A P2 A Pi A P2] . 

From Propositon0iP) we know that zi[Ai A P 2 , Pi A Pi]||iZ 2 [A 2 A Pi, P 2 A 
P 2 ] h zi, Z 2 [Ai a A 2 ^^^^, Ai a A 2 a Pi a P 2 a Pi a P 2 ] is equivalent to the two 
conditions 



Ai A P2 A A2 A Pi 



■2122 



A Ai A A2 



■2122 
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and 



( A E2 A A .2 a El A j 4 i A A2 A Ei A £12 A -£1 A £2) 

A (j 4 i a A2 A El A -£2 A £1 A £2) 

which are obviously true. So it remains to prove i) <1=^ ii). 

The refinement zi,Z2[^i A A2 A A2 A £1 A £2 A £i A £2] h zi[Ai A 

£2, £1 A £i]||iZ 2 [v 42 a £1, £2 a £2] is equivalent to the properties 

( Ai A A2 A Ai A E2 A A2 A -E-i A Fi A F2) (-^i A A2 A -t/i A E2 A -Fi A F2') 

which are clearly equivalent to assertion ii). □ 



Proof of Proposition El The corresponding specifications to the parallel com- 
positions are, respectively, 

{a) zi, Z2, z^[{Ai f\ A2 ) A 7I3 , Ai A A2 A ^3 A £1 A £2 A £3] 

ib) ZI,Z2, Z3[ (^''a^^^A a AT""\Ai a A2 a A3 a £1 a £2 a £3] 

(c) zi, Z2, ^3 [(Ai a A3 ) A A2 , Ai A A2 A A3 A £1 A £2 A £3] 

Applying Proposition Ewe get (a) = (b) iff the following equivalence holds, 

(Al AA2 ) A A3 = (A2 AA3 ) AAi 

Hence, necessary and sufficient conditions for the equivalence (a) = (b) = (c) 
are the equivalences in 0. □ 



Proof of Proposition El We have ( zi[Ai, £i]||iZ2[A2, £2] )||iZ3[A3, £3] = 
— ziZ 2 \Ai A A2 , Al A A2 A £1 A £2 ]||iZ3[A3,£3] 

= ziZ2Z3[(Ai a A2 ) A A3 , Ai<i< 3 (Ai A £i)] 
and thus, our assumptions can be stated as: 

Al A £1 £ A2 , A2 A £2 A Al , 

A, ^ Ai A £/' , i = l ,2 , 
(AiAA 2)'^"^'^ AA^"^"^ £ Ai<i< 3 (A, A . 

Using this we find 



( Al A A3 A A2"^"^ £ ( Al a £1"^ A A3 ) 



A A2 



A(AiAA2^AA3) AA 2 

y 7 A : A 72^12^223 , -3 2122 

^ ( Al A A2 ) A A3 



^ Al A A2 A A3 

The remaining case can be treated similarly. 
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Abstract. A timed process algebra is developed for evaluating the tem- 
poral worst-case efficiency of asynchronous concurrent systems. For the 
sake of simplicity, we use a classical CCS-like algebra where actions may 
occur arbitrarily within a continuous time interval, yielding arbitrary 
relative speeds of the components. Via the timed testing approach, asyn- 
chronous systems are then related w.r.t. their worst-case efficiency, yield- 
ing an efficiency preorder. We show that this preorder can just as well 
be based on much simpler discrete time and that it can be characterized 
with some kind of refusal traces. Finally, precongruence results are pro- 
vided for all operators of the algebra, where prefix, choice and recursion 
require special attention. 



1 Motivation and Introduction 

Classical process algebras like CCS model asynchronous systems, where the com- 
ponents have arbitrary relative speeds. To consider the temporal behaviour, sev- 
eral timed process algebras have been proposed, where usually systems are re- 
garded as synchronous, i.e. have components with fixed speeds. The easiest of 
these is sees pU^ : terms are essentially the same as for CCS; the natu- 
ral choice to fix the speeds of components is to assume that each action takes 
one unit of time; so SCCS-semantics differs from CCS-semantics essentially by 
excluding runs where one component performs many actions while another per- 
forms just one. Our aim is to evaluate the temporal worst-case efficiency of 
asynchronous concurrent systems modeled with a process algebra, and - as in 
the case of SCCS - we want to keep things simple by using just classical CCS-like 
process terms. Furthermore, we will use a variant of (must-) testing EHHBII, 
where the testing preorder can be interpreted as comparing efficiency. 

A usual treatment of asynchronous systems with a timed process algebra is to 
allow arbitrary idling before each action pniniMini; this achieves arbitrary 
relative speeds, but is not suitable for defining worst-case runs since each action 
already can take arbitrarily long. Here, we assume each action to be performed 
within a given time - and to keep things simple as in SCCS, we take 1 as 
a common upper time bound for all actions. This enforces some progress, but 
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different from SCCS, actions may also be performed faster than necessary; hence, 
components have arbitrary relative speeds and we take into account all runs of an 
asynchronous system; see e.g. |byn96| for an approach with upper time bounds. 

We compare processes via the testing approach developed by pMH84j and 
extended to timed testing in a Petri net framework in fv^cvna. A timed 
test is an environment together with a time bound. A process is embedded into 
the environment essentially via parallel composition and satisfies a timed test, if 
success is reached before the time bound in every run of the composed system, 
i.e. even in the worst case. If some process P satisfies each timed test satisfied 
by a process Q, then P may be successful in more environments than specified 
by Q, but it may also be successful in the same environments within a shorter 
time; therefore, we call it a faster implementation of Q, and the testing preorder 
is naturally an efficiency preorder. In order to help intuition, we anticipate the 
following example: let Pa = fiX.a.X be a process which is ready to engage 
in activity a repeatedly, let Pi, = pX.b.X be analogous with b and let = 
piXfa.X + b.X) be ready to engage repeatedly either in a or 6 one at a time; 
then we expect the parallel composition without synchronization P^ = Pa \\ijj Pb 
to be faster than P+, since simultaneous requests for both a and b from an 
environment can be served simultaneously by P* but not by P+. 

To define timed testing formally, we have to define runs of asynchronous 
systems. In Section El we develop a suitable semantics with upper time bound 
on actions where time is continuous; we try to formalize our intuitive ideas 
as directly as possible without anticipating any specific treatment that might 
be necessary to obtain a precongruence in the end. As regards the definition 
of testing, the classical embedding in the test environment leads to a testing 
preorder which - surprisingly - is not a precongruence for prefixing; instead of 
refining the preorder to the coarsest such precongruence (cf. EE n ns), we get this 
precongruence directly by using a slightly different, but also intuitive embedding. 

Using continuous time is certainly not as simple as intended; e.g. initially a 
process can make uncountably many time steps. Our first main result in Section 
0 reconciles realism and simplicity: we define an analogous efficiency preorder 
based on discrete time behaviour and show its coincidence with the first one. In 
Sectional as usual in a testing approach, we characterize the efficiency preorder - 
here with some kind of refusal traces. The important point with this second main 
result is that test environments are asynchronous systems, hence ‘temporally 
weak’, but nevertheless reveal the temporal behaviour of tested processes quite 
in detail; correspondingly, the construction of revealing tests is a little involved. 

We also provide precongruence results for parallel composition, hiding, re- 
labeling and prefixing. Finally, in Section 0 we refine the efficiency preorder to 
a precongruence also for choice: as usual, we additionally have to take into ac- 
count the (initial) stability of processes. Quite surprisingly, although we consider 
a preorder, the additional condition on stability is not only an implication but 
an equivalence. The refined efficiency preorder is then shown to be the coarsest 
precongruence for all operators of our process algebra that respects inclusion of 
discrete behaviour. We also provide a precongruence result for recursion. Here, 
we avoid the introduction of least elements (17-terms) and application of cpo- 
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techniques (cf. |Hen88| i and thereby gain some degree of self-containment, but 
our technique exploits the restriction to guarded recursion. 

We have translated the results for Petri nets from nwi to a process algebra 
setting for two reasons: on the one hand, it is shown that the underlying ideas 
are not model-dependent; on the other hand, the developments here are quite 
different - see e.g. the progress preorder in Section 0- and process algebras are 
much more powerful than finite safe Petri nets by providing TURiNG-power. 

For an interesting application of our approach see 1,1 VH5I . where different 
implementations of a bounded buffer are distinguished w.r.t. their efficiency; we 
intend to carry over this example into our process algebra setting, expecting the 
same results. Due to lack of space, most proofs are omitted in this paper. (A full 
version is available as technical report.) 

2 Continuously Timed Processes and Tests 

We will use a CCS-like process algebra with TCSP-like ||a parallel composition, 
where A is a set of actions and components have to synchronize on all actions 
from A. Processes will perform (atomic) actions instantaneously within time 1; 
time passes continuously (in this section) in between their occurrences. For ex- 
ample, process a.P will idle and then perform action a at some time point in the 
real interval [0; 1], evolving to P. To model this, we introduce continuously timed 
actions (a, r), which carry a ‘timer’ r whose initial value can be chosen from the 
interval [0; 1] of real numbers. When time passes globally by a certain amount, 
the timer of a locally activated action will be decreased accordingly. Timer value 
0 denotes that the idle time of the respective action has elapsed, hence it must 
either occur or be deactivated before time may pass further (urgency) - un- 
less it has to wait for synchronization with another component (patience). E.g., 
process a.P corresponds to (a, 1).P and can idle, process (a, 0).Q can neither 
idle nor wait, but component (a, 0).Q in ((a, 0).Q)||{a}((a, 1).P) has to wait for 
synchronization on a while component (a, 1).P still may idle. 

We also use two distinguished actions: t represents internal activity and to 
is reserved for observers (test processes) only, which use this action in order to 
signal success of a test. 

Definition 2.1 Let A be an infinite set of actions and let w,t ^ A be the 
success and internal action resp. We define = A U {w} and = A^ U 
{t}. Elements of A^^ are denoted by a, 6, c, . . . (including r and uj). Let T be 
the set of real numbers in [0; 1]. Elements from T are denoted by p, r, . . . . Let 
Act = Aojt X T = {a, /3, . . . } be the set of continuously timed actions^ where e.g. 
a = (o, r) e Act. We use a as a shorthand for (a, 1) and a as a shorthand for 
(o,0), which we call an urgent action. 

A (continuously timed) c-process term P is generated by the following grammar: 

P::=0 I A I (a,r).P \ P + P \ P\\aP \ P[^] | pA.P 

where 0 (Nil) is a constant, X € X = {X,Y,Z,...} is a (process) variable, 
(a, r) S Act and A C A^ possibly infinite; : A^,- — > is a general relabeling 
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function satisfying {a G A\3b ^ a : = o} is finite, C {w} and 

<P{t) = T. Additionally, we only allow guarded recursion. Pc is the set of c-process 

terms P,Q, We distinguish several cases: P is an initial process term, if the 

choice of r is restricted to r = 1; Pi is the set of initial process terms. P is 
a (continuously timed) c-process, if P is closed, i.e. all variables A in P are 
bound by the corresponding /rA-operator; the set of c-processes is denoted by 
Pc. Pi = Pc n Pi is the set of initial processes. m 

0 is the Nil-process, which cannot perform any action, but may let pass time 
without limit. A G X is a process variable used for recursion. a.P is action- 
prefixing known from CCS: (a,r) stands for the action a which has to be per- 
formed within time r. To evaluate worst-case behaviour, such an upper time 
bound has to be assumed; if detailed information is missing, it is natural that in 
the processes under consideration all actions have the same time bound, which 
one can take as unit of time. Thus, we will be able to translate ordinary CCS-like 
process terms into our setting by replacing each a by (a, 1). 

Pi -I-P 2 models nondeterministic choice between Pi and P 2 and Pi\\aP 2 is the 
parallel composition of two processes Pi and P 2 that run in parallel and have 
to synchronize on all actions from A; this is inspired from TCSP. The general 
relabeling operation P[<P] subsumes the classically distinguished operations re- 
labeling and hiding: if satisfies = {r}, then is a (classical) relabeling 

function-, if maps some (possibly infinite) A C A to {t} and is the identity 
otherwise, then P[<^] hides A in P and is also written P/A. The finiteness of the 
set {a G A\3b ^ a : <P{b) = a} will ensure that the number of different actions 
ever performable by a c-process is finite. iiX.P models recursion; some X G X 
is guarded in a c-process term P G Pc, if each occurrence of A is in a subterm 
a.Q of P, where the guard a G Act may also be an internal timed action (r, r). 
In this paper, we only consider c-process terms /xA.P where A is guarded in 
P. We say that P G Pc is guarded if all A G X are guarded in P. Whenever 
we perform syntactical substitution P{Q/A}, we assume that no free variable 
of Q is bound in P (Barendregt convention). If 5 is a function 5 : X i-^- Pc, 
then S denotes a simultaneous substitution of all variables, and we write [P]^ 
for P{5(A)/A, S{Y)/Y, . . . }, i.e. application of S to P. 

The precedence of the operators in decreasing order is as follows: relabeling, 
prefix, recursion, parallel composition, choice. We intend choice and parallel 
composition to be commutative and choice to be associative, and we anticipate 
this by a syntactical congruence: 

Definition 2.2 Syntactical congruence = C Pc x Pc is the least congruence 
of c-process terms satisfying for all Pi, P2, P3 G Pc and A C A: 

Pl+P2=P2+Pl (Pi + P2) + P3 = Pi + (P2 + P3) Pi\\aP 2 =P 2 \\aPi 
We regard syntactically congruent c-process terms as equal. Therefore, -f* 
is used as a shorthand for the sum of all Pi G Pc, where f is in a finite indexing 
set I. We define Pi = Oj and if |/| = 1, then Pj = Pi- ■ 

Now the purely functional behaviour of process terms (i.e. which actions they 
can perform) is given by the following operational semantics, where syntactical 
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congruence enables us to use only one SOS-rule for choice and two SOS-rules for 
parallel composition: 

Definition 2.3 Relation — > C (Pj, x A^t x Pc) is defined inductively: 



{a,r).P A P 
Pi A P[ 

Pi +P2^ P[ 



a^A, Pi^ Pj 
Pi\\aP2 ^ PI\\aP2 

P P' 

P[<P\ P'[<P\ 



a&A,Pi^ Pj, P 2 A P^ 
P 1 UP 2 ^ P[\\aP^ 

P P' 

PlX.P a P'{plX.P/X} 



For c-process terms P,P' and a G A^r, we write P P' \i {P,a,P') and 
P A if there exists a P” such that (P, a, P") G— >. Finally, we let A{P) = {a G 
A^r I P -^} be the set of activated actions of P. ■ 

Except for prefix and recursion, these rules are standard. The first one allows 
an activated action to occur disregarding the value of its timer; since passage 
of time will never deactivate actions or activate new ones, we capture all be- 
haviour that is possible in the standard CCS-like setting without time. Note 
that the recursion rule implicitly makes use of guarded recursion Enni; this 
simplifies proofs of operational properties by connecting induction on inferences 
with induction on the structure of a c-process. 

The set of activated actions of a c-process term P describes its immediate 
functional behaviour; it will be preserved along passage of time. It is empty for 
process variables X G X, reflecting that unbound occurrence of a variable means 
incomplete specification. We have defined -4(P) via operational semantics, but 
it can equivalently be determined inductively from the syntactical structure of 
P alone. Observe that A{P) records only actions, not the possibly various timer 
values associated with the same action in a process. Furthermore, due to the 
image-finiteness of general relabeling functions, A{P) is always finite, which will 
be used for the characterization of our testing preorder. 

Proposition 2.4 Let P G Pc be a process term. Then .4(P) is finite. ■ 

As a first step to define timed behaviour, we now give operational rules for 
the passage of ‘wait-time’: all components of a system participate in a global 
time step, and this passage of time is recorded for locally activated actions by 
decreasing their annotated timer by the prefix rule. Note that time passes disre- 
garding elapsed timers; this might be necessary for a component when waiting 
for a synchronization partner, and this explains the notion ‘wait-time’. 

Definition 2.5 Relation ~^c C (Pc x T x Pc) is defined inductively: 



0 4 ^ 0 

P-^c P' 
P[^] 4, P'[^] 



r' = max(r — p, 0 ) 
{a,r).P 4^ {a,r').P 

Pi 4c Pj, P 2 4c P^ 

PiIUP2 4cP(|UP2 



Pi 4 c P{, P 2 4, P^ 

Pi + P 2 4, p[ + p^ 

P-^c P' 

fj,x.p 4 ^ p'{fvx.p/x} 
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For c-process terms P, P' G Pc and p G T, we write P ~^c P' if {P,P,P') C~^c- 
We write P ~^c, if there exists a P" G Pc such that (P, p, P") G'^c- ■ 

Note that a process variable X G X has no time semantics, again reflecting 
the fact that unbound occurrence of a variable means incomplete specification. 

The operational semantics of wait-time allows c-processes to wait forever, but 
our intention was that an urgent action has to occur or be disabled, unless it 
has to wait for a synchronization partner. We will enforce this using an auxiliary 
function that calculates for a given action a its residual time TZ{a, P) in a c- 
process term P, i.e. the time until it becomes urgent. 

Definition 2.6 The residual time of an action a G A^t in a c-process term 
P G Pc is given by the following inductively defined function TZ : A^r x Pc ^ T: 

Nil: 7?.(a, 0) = 1 for all a G A^t 

Var: TZ{a, X) = 1 for all a G A^t 
Pref: TZ{a,a.P) is r if a = (a, r) and 1 otherwise 
Sum: Tz\a,Pi + P 2 ) = min(P(a, Pi), P(a, P 2 )) 

Par: Tz\a,Pi\\AP 2 ) is max(P(a, Pi), P(a, P 2 ) if a G A and 
min(P(a, Pi), P(a, P 2 )) if a ^ A 
Rel: P(a, P[^]) = min{P(6, P) | 5 G 
Rec: 7i{a, fiX.P) = TZ{a,P) 

Finally, we let TZ{P) = min{7?.(a, P) | a G A{P)}, where min0 := 1. ■ 

We have chosen TZ{a,X) — TZ{a,0) = 1 mainly for technical reasons (cf. rZM/l 
below). The Par-case will realize the desired behaviour of waiting in a parallel 
composition: if Pi and P 2 have to synchronize on a, then the residual time of a 
in P\\\aP 2 is determined by the ‘slower’ component with larger residual time; if 
Pi and P 2 do not have to synchronize on a, the ‘faster’ component determines 
the maximal possible delay of a in P\\\aP 2 - 

Observe that in the Rel-case may be empty or infinite; for the latter 

case, we will see below that for any c-process term P there are only finitely 
many actions b with TZ{b, P) yf 1 (I2I7I together with M), such that the set 
{TZ{b,P) \ b G <?“^(a)} is finite and P(a, P[^]) exists. Similarly, P(P) exists for 
each c-process term P, and, hence, the residual time is well-defined and we have 
TZ{a, P) G T and P(P) G T in all cases. 

Proposition 2.7 If P(a, P) yf 1, then a G A{P) for P G Pc and a G Ai^r ■ ■ 

Using the residual time of a c-process term, we are now able to restrict wait- 
time to the timed behaviour we had in mind originally and which we call ‘idle- 
time’. Alternatively, idle-time could have been defined via SOS-rules intertwined 
with the rules for wait-time. 

Definition 2.8 We write P -^c P' (and P -^c) if P '^c P' cind p < 7^(_P). ■ 

Consider the example from the beginning of this section: it is 7^((a, 1).-P) = 
7?.(a, (a, 1).P) = 1, so (a, 1).P ~^c (a, 0).P and (a, 1).P -^^c (a, 0).P. Similarly, 
we have P((a, 0).Q) = P(o, (a, 0).Q) = 0, hence only (a, 0).Q ~^c (a, 0).Q but 
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not {a,0).Q -^c (a,0).Q; however, we have 7?.((a, 0).Q ||{a} (a, 1).P) = 1 and, 
thus, (a,0).Q |j{a} {a,l).P (a, 0).Q ||{a} (a,0).P. 



Proposition EEl gathers some properties of our timing discipline; by termina- 
tion, urgency and persistence, c-processes without activated actions may idle for 
an arbitrary amount of time, but if there are activated actions, they may idle at 
most for time 1 by progress, urgency and persistence: 



Proposition 2.9 

1. (urgency) P 

2. (persistence) 

3. (termination) 

4. (progress) 

5. (continuity) 

6. (determinism) 



Let P, P', P" G Pc and p, p' , p + p' G T. 

-^c iff P guarded and p < TZ{P), and P' guarded if P ^ 
If P 4c P', then A{P) = A{P'). 

If A{P) = 0 and P 4c P', then P(P) = P(P') = 1. 

If A(P) yf 0 and P 4c P', then P(P) - P(P') = p. 

P P" if and only if P 4c P' -^c P" for some P'. 
If P 4c P' and P 4c P", then P' = P". 



C 



P'. 



Purely functional and timed behaviour of processes are combined in the con- 
tinuous language of processes. As usual, we abstract from internal behaviour; 
note that internal actions gain some ‘visibility’ in timed behaviour, since their 
presence possibly allows to pass more time in between the occurrence of visible 
actions. For later proofs (cf. OEJ we also need a language that records r’s. 

Definition 2.10 Let P, P' G Pc be c-process terms. We write P 4c P' if 
either e G and P — > P', or e G T and P -^c P' ■ We extend this to sequences 
w and write P P' if P = P' and w = X (empty sequence) or there exist 

Q G Pc and e G U T) such that P 4c Q 4c P' and w = ew' . For a 
w G {Kjt U T)* let w/t be the sequence w with all r’s removed, let act{w) be 
the sequence of elements from in w, and let ({w) be the sum of time steps 
in w, note that ({w/t) = ({w). We write P 4 c P', if P 4 c P' and v = w/t. 

For a c-process P G Pc we define CL.r(P) = {w\P 4c} to be the continuous 
T-language, containing the continuous T-traces of P, and CL(P) = {w\ P 4c| 
to be the continuous language, containing the continuous traces of P. ■ 

We state in passing that the set of c-processes is closed under occurrence of 
actions or passage of time, i.e. P G Pc and P 4c P' implies P' G Pc again. 

Based on the continuous language of c-processes, we are now ready to define 
timed testing and to relate c-processes w.r.t. their efficiency: 

Definition 2.11 An initial process P G Pi is testable if uj does not occur in 

P. Any initial process O G Pi may serve as a test process (observer). A c-timed 
test is a pair {0,R), where O is a test process and P G is the real time 
bound. A testable process P c-satisfies a c-timed test (P mustc {0,R)), if each 
V G CL(r.P||AO) with ({v) > R contains some w. For testable processes P and 

Q, we call P a continuously faster implementation of Q, written P Ac Q, if P 
c-satisfies all c-timed tests that Q c-satisfies. 3c is the efficiency preorder. ■ 
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In contrast to e.g. PNHHll, execution and not only activation of an oj is 
necessary for satisfaction of a c-timed test. Note that t.P\\aO is a shorthand 
for ((r, 1).P)||aO. Usually, one considers the behaviour of P||aO when defining 
a test. This is also done in EliSnEl, where it is shown that surprisingly the 
resulting efficiency preorder is not a precongruence for prefix and therefore has 
to be refined afterwards. In order to avoid this complication, we have chosen 
t.PIIaO instead, gaining the same result directly. From an intuitive point of 
view, the additional r-prefix represents some internal setup activity before the 
actual test begins. 

As an example consider observer O = a.uj.O\\^i^yb.LU.O and P* and from 
Section 1: we have llal61 G CL(t.P+||aO), hence not music (0,3); but 
r.P*||AO ifJ-X.a.X\\i^b.fiX.b.X)\\A{uj.O\\[ci}k-‘^-0) which in the worst case per- 
forms 61 before an uj; thus music (0,3). (Recall that b is (6,0).) 

Runs with duration less than R may not contain all actions that occur up to 
time R; hence we only consider runs with a duration greater than the time bound 
R for test satisfaction. This definition of c-satisfaction would be of questionable 
usefulness, if c-processes were able to stop time, i.e. to reach a state from where 
no time step is possible any more; we will see later on (cf. i:il4l 4l that this doubt 
is unsubstantiated. 

At this point, it is by no means clear how to check P Qc Q for given testable 
P and Q. Obviously, the definition cannot be applied directly, since there are 
uncountably many time bounds and, hence, c-timed tests to apply. Even if we 
could decide P 3c Q from CL(P) and CL(Q) only (which is not the case), CL(P) 
and CL(Q) are still uncountable and hard to handle. 



3 Discretization 

Intuitively, satisfaction of a c-timed test essentially depends on the ‘slowest’ 
sequences in CL(t.P||aO); in this section, we will show that these are generated 
by discrete behaviour only, i.e. those traces with only time steps of duration 1. 
This will yield a simple theory. 

Definition 3.1 Let P, P' G Pc be c-process terms. We write P -^d P' if either 
e G Ajt and P ^ P', or £ = 1 and P -^c P'\ in the latter case we say that 
P performs a unii time siep. For sequences w G (A^r U {!})*, we define P 

and P ^^d analogously to EE3 For a c-process P G Pc we define DLt.(P) = 
{w I P to be the discrete r-language, containing the discrete r-iraces of P, 
and DL(P) = {w/t\w G DLt(P)} to be the discrete language, containing the 
discrete iraces of P. Observe that DL(P) C CL(P) and DLt.(P) C CL,-(P). ■ 

We are mainly interested in initial processes (which can be seen as the pro- 
cesses of an ordinary untimed process algebra). Therefore, we will first char- 
acterize syntactically those c-processes in Pc that are reachable from an initial 
process by only discrete behaviour. These terms represent a discretely timed 
process algebra and their structure is important e.g. in the proof of tilil 
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Definition 3.2 An urgent process term U is generated by the grammar: 

U 0 I a.I I ?7 + C/ I U\\aU | C/[^] (recall that a is (a,0)) 

where / G Pi is an initial process term, a € A^r , A C and ^ a general 
relabeling function. The set of urgent process terms is denoted by Pq, and Pq = 
Pq n Pc is the set of urgent processes. A (discretely timed) process term P is 
generated by the following grammar: 

P::=I \ U \ P\\aP \ P[^] 

where I, A, are as above and C/ G Pq is an urgent process term. P is the set of 
process terms and P = P n Pc is the set of (discretely timed) processes. ■ 

Intuitively, an urgent process term is reached whenever a process term per- 
forms a unit time step. Hence, an urgent process term usually must not let time 
pass further; but this is allowed for process terms without activated actions: 
consider 0 G Pq U Pi for this case, which can be seen as both, initial and urgent. 
Process variables X G X are always initial, since they may not let pass time at 
all, hence cannot be reached by a time step. 

Proposition 3.3 Let P G P be a process term and a G A^r ■ 

1. TZ{a, P) G {0, 1}, thus n{P) G {0, 1}; if P G Pi, then P(a, P) = P(P) = 1. 

2. If P P', then P' G P and ybeK,^Pib,P) < n{b,P'). 

3. If P -^d P', then P' G Pq. 

4. There are Pi G Pi and w G {r}* with Pi ^d P-, where w = A if P G Pq- 

5. There are P' G P and w G {a}*, such that P -^d P' and P(a, P') = 1. ■ 

Proposition 11131 states technical properties of (discrete) process terms and 
discrete behaviour; they are crucial in the proofs of many further developments 
and are gathered for processes in a more readable manner in l3l4l below. 

First, in EEi, we ascertain that the residual time of (actions in) process terms 
is always either 0 or 1, reflecting that process terms can perform either no time 
step or a unit time step. Properties 2. and 3. ensure that discrete behaviour of 
a process term yields a process term again, validating the match between the 
operational Definition OEI of discrete behaviour and the syntactical Definition EB 
of discrete process terms. Additionally, occurrence of actions can only increase 
the residual time of (actions in) a process term. Properties 4. and 5. are of rather 
technical nature, but their statements are of intuitive interest, too: any process 
term is reachable from an initial process term by a step only, and repetition 
of a single action will eventually yield a process term, in which this action is 
not urgent any more. This will be important when characterizing the testing 
preorder in the next section. 

Corollary 3.4 

1. The set P contains exactly processes that are reachable from some initial 
process P G Pi by only discrete behaviour. 

2. The set Pq contains exactly those processes that are reachable from some 
initial process P G Pi by performing only a 1-time-step. 
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3. Each P G P has a discretely reachable successor P' gV with TZ(P') = 1. 

4. If P P' for some P,P'gV and w G DL(P), then for each ii G ffij there 

is a w' G DL(P') (hence ww' G DL(P)), such that ((ww') > R. m 

From l3l4l l follows that the set of processes is closed under discrete behaviour, 

i.e. P G P and P P' for some w G DL^(P) implies P' G P again. Furthermore, 
13 141 4 states that at least discrete behaviour never yields a time stop. Theorem l3l9l 
will indicate that this is sufficient also for our definition of c-timed tests to make 
sense. 

So far, we only know that discrete behaviour of an initial process is part of 
its continuous behaviour. We now aim to show that discrete behaviour already 
contains enough information for checking P 3c Q for testable P and Q. For this 
purpose, we will map each continuous trace of an initial (c-)process to a discrete 
trace of the same process. Related traces will exhibit the same behaviour, but 
at different points in time. We first relate the intermediate c-processes reached 
when performing such traces. 

Definition 3.5 The progress preorder is the least I- 5 C (P^ x T x Pc) satisfying: 

Nil: 0 hi 0 for all ,5 G T 

Var: X \~s X for all (5 G T 

Pref: (a, ri).P hi (a, r 2 ).P if T 2 - ri < i5 

Sum: Pi + P 2 hi Qi + Q 2 if Vj=i ,2 Pi hi Qi 

Par: P 1 IUP 2 hi Qi\\aQ 2 if ^ 1 = 1, 2 Pi hi Qi 

Rel: P[^] hi Q[^] if P hi Q 

Rec: a) p,X.P hi p,X.P for all i5 G T 

b) P'{p.X.P/X} hi p^X.P if P' hi P 

c) piX.P hi P'{fj.X.P/X} if P hi P' ■ 

Intuitively, P hi Q means that P and Q are essentially identical up to the 
values of timers, and if P is ahead of Q, then for at most time 6. However, Q 
may be ahead of P for an arbitrary amount of time, which is realized locally 
in the Pref-case, where we allow T 2 < ri. In cases Rec b) and c), p.X.P and 
P' {p,X.P/ X} are regarded as structurally identical in two specific situations; 
this is necessary to makeElSl4.a) below true: if P = p.X.R hi fdX.R = Q and Q 
makes a time step, then only for Q recursion is unfolded by the recursion rule. 

Proposition 3.6 For c-process terms P,P',Q,Q' G Pc and 6,6' G T let 
P hi Q. Furthermore, let a G A^t and p,pi,p 2 G T. 

1. P ho P for all P G Pc. 

2. n{Q) - n{P) <6 andP hi, Q if 6' > 6. 

3. If P A P' , then there exists Q' with Q X, Q' and P' hi Q' , and vice versa. 

4. a) If Q -^c Q' and Q < 6 — p, then P hi_p Q' . 

b) If P f^c -P', Q Q' and 0 < i5 + pi - p 2 < 1, then P' hi+p^.p^ Q' . m 

Proposition I .’4161 provides the elements for emulating each continuous trace 
of an initial process by a discrete trace that exhibits the same behaviour but 
consumes more time: 
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Lemma 3.7 Let P G Pi be an initial process; then for each w G CL(P) there 
is a G DL(P), such that act{v) = act{w) and > C,{w). 

Proof: 

We will construct for each w G CL,-(P) a u G DL^(P), such that act{v) = act{w) 
and C(f) > C(tt'); furthermore, we will show that for and Py reached after w 
and V we have P„ Py,; byE01, this will imply P„ G P. Then wfT G 

CL(P), v/t G DL(P), act{v/T) = act^w/r) and C{v/t) = f{v) > C(w) = C,{w/t). 
The proof is by induction on |rti|, where for w = X we can choose v = X; then 
P ho bv idibl l. hence Py hg-o Pw Now assume that for w G CL,-(P) we have 
constructed v G DLt(P) as desired and consider w' = we G CLr{P). We denote 
the processes reached after w' and v' by Py,' and Py'. 

If e = a G Ayj, then v' = va with act{v') = act{w') and C{v') = f{v) > f{w) = 
C(w'). We have Py, A Py,, and bv LI6L 3. there is a Py' such that P„ A Py, and 
Pv ^c(v)-a w) Py,' , i.e. Py' Py,' • 

Now let £ = p G T. If p < C('c) — C,{w) we choose v' = v; obviously, act{v') = 
act{w') and C{v') = ({v) > p+f{w) = C{w')- Furthermore, ({v') — f{w') = C{v) — 
C(w)-p > 0, hence Py Py, andEE14.a) yield Py' = Py Py,'. 

If on the other hand p > ({v) — C{w), we choose v' = ul. With i;iltil 2 from 
Py \-(;(y)-Q(y,) Py, W O couclude TZ{Py) + ((v) ~ ({w) > TZ{Py ,) aud TZ{ Py,) > p > 
C{v) — f{w) bv I2I8I i.e. TZ{Py) > 0 and TZ{Py) = 1 bv l3l3I I. Now bv I2I9I 1. the 
time step 1 is allowed after v and v' = vl G DLt(P) with act{v') = act{w'). 
Furthermore, C,{v') = C(u) + 1 > C,{w) + p = C{w'), and finally, p < 1 and 
0 < C(^^) ~ C{w) give 0 < C(^') ~ C{w) + 1 — p, and (^{v) — C{w) < p gives 
Q{v) — f{w) + 1 — p < 1; so with I3l6l 4.bl we conclude Py' h^(„)_^(„)+i_p Py,', 
i.e. Py' ^c{v')-a w') Pw' ■ ® 

As an example we consider again process P, from Section 1 and show how 
from one of its continuous traces (upper line) the corresponding discrete trace 
(lower line) is constructed; additionally, we use T5 (middle line) to denote the 
progress relation of the intermediate states: 

P* fj,X.a.X\\n,{b,0.5).pX.b.X {a,0.b).pX.a.X\\Qp.X.b.X 4“ 

To To. 5 To 

P* ptX.a.XUb.pX.b.X nX.a.XUpX.b.X % 

Initially, P, is related with itself via Fq as stated in ISItiL I . Then continuous 0.5a 
is matched by discrete la, yielding states related by hg.s according toEEI^niainly 
Pref-case), validating 0514. b) and EES. A further 0.56 is matched by simple 6, 
yielding states related by hg according to ISill where now mainly case Rec c) 
and the Pref-case with r2 — ri = 0.5 — 1 = —0.5 < 0 apply; this also validates 
1,811 4. al and [tl(il ,3. We finally get act(0.5a0.560.5a) = act(la61a) = aba and 
C(0.5a0. 560.5a) = 1.5 < 2 = C(la61a). 

The same discretization result is shown in a Petri net setting for actions 
without upper time bound in and for actions with varying (integer) lower 

and upper time bounds in jBih98j : for nets of the latter type, |Pop91| already 
shows how to transform continuous runs to shorter discrete runs. 
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With our emulation result we can restrict attention to discretely timed testing 
based on discrete behaviour and discrete time bounds: 

Definition 3.8 For a testable process P € Pi, an observer O S Pi and D G Nq 
define P mustd {0,D), if each w G DL(t.P||aO) with ({w) > D contains some 
to. The relation is defined accordingly. ■ 

We now give our first main result: although 3^ is based on fewer tests and 
much more restricted behaviour than 3c, it turns out that both relations define 
the same efficiency preorder. By this, we have also reached simplicity: we can 
now work with a CCS-like untimed algebra, extended syntactically by urgent 
terms (see Definition I3I2II and semantically by 1-time-steps. 

Theorem 3.9 The relations 3c and 3d coincide. 

Proof: Let P, Q G Pi be testable, O an observer and R G . We first show 
P mustc {O, R) iff P mustd {O, [PJ ): assume P ^ustc (O, R); then there is a w G 
CL(t.P||aO) without to and C,{w) > R; now by EI3, there is a i; G DL(t.PIIaO) 
without oj and ({v) > ({w) > [Pj, hence P fhustd (0,[R\). Now assume 
P ifiustd {O, [PJ); then there is a w G DL(t.P||aO) without uj and C{w) > [Pj, 
hence C(w) > [Pj -1-1 > P; since DL(t.P||aO) C CL(t.P||aO), the same w causes 
P '^ustc {O, R). With this result we conclude Q mustc {O, R) ^ P mustc (O, R) 
iff Q mustd {O, [Pj) P mustd {O, [Pj), hence P 3c Q iff P 3d Q- ■ 

Checking P ^c Q now reduces to checking P ^d Q- But as for testing in 
general, it is impossible to apply the definition of 3d directly, since there are 
still infinitely many tests to apply. And as indicated in Section El we cannot 
decide P 3d Q from DL(P) and DL(Q) only, since DL(t.P||aO) generally cannot 
be determined from DL(P) and DL(0) alone: e.g. synchronization allows urgent 
actions in one component to wait for a partner in the other one, which is not 
the case in stand-alone behaviour of a single component, recorded in DL(P), 
DL(0) resp. Consider P = a.6.0||{{,}(6.0-|-c.0) and Q = a.O||0(5.O-|-c.O); we first 
argue that DL(P) C DL(Q): P differs from Q in that b can only be performed 
synchronously in both components of P and its left component can delay b 
after a; but in any case, non-synchronized c has to occur before time 2, hence 
conflicting b can only occur before time 2 in both P and Q, thus P cannot delay 
b longer than Q. Now consider P* as in Section 1: we have lal5 G DL(P||aP») \ 
DL(Q||aP») since c G A cannot be synchronized with P, and, hence, cannot 
deactivate b any more which can now occur in P later than in Q. 

In the next section we will refine the discrete language to a kind of refusal 
traces; their inclusion will both be a precongruence for parallel composition 
and characterize 3d denotationally; for the latter result, we also need that the 
number of different actions ever performable by a process is finite: 

Definition 3.10 For a c-process P G Pc and x G {c,d} let £x{P) = {a G 
Acer I G CL,-(P), P' G Pc : P P' -^x}- Then t'c(P) {£d{P)) is the contin- 
uous (discrete) semantic sort of P. ■ 

Proposition 3.11 Continuous and discrete semantic sort of a c-process P 
coincide and will both be denoted £{P). Furthermore, £{P) is finite. ■ 
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4 Characterization 



As a consequence of the last section, from now on we let □ denote the (coinciding) 
preorders 3c and 3d. Furthermore, we will merely deal with discrete processes 
and their discrete behaviour. 

We first modify the SOS-rules for wait-time as follows: we only allow unit time 
steps and record at each time step a so-called refusal set E of actions which are 
not waiting; i.e. these actions are not urgent, they do not have to be performed 
and can be refused at this moment. Note that additionally and in contrast to 
passage of wait-time we now prohibit passage of time if there are urgent r’s. This 
time semantics is also a relaxation of (discrete) idle time: all actions in A U {r} 
are treated correctly w.r.t. passage of idle time. 

Definition 4.1 ~^rQ (IP x 2^ x P) is defined inductively, where E,Ei C 

a ^ A U {r} 

0 0 a.P -^r Ql-P 3l-P 3l-P 



Vi=l,2 Pi 



p' 



PiWaP2\p[\\aP2 



Vi=l,2 P^ \ Pi 






P' 



P P' 



P1+P2 



Pi 



Pi 



P[<P\ P'W\ 



nX.P \ P'{^lX.P/X} 



For P, P' G P, we write P P' if {P, E, P') and call this a time step. We 
write P -^r, if there exists a P" G P such that (P, E, P”) G^r- ■ 

ByEEll below, the set of possible refusal sets at a time step is downward 
closed w.r.t. set inclusion, and by E02, not activated actions can always be 
refused; finally, 021 3 provides the link between time steps and unit-time- waiting, 
unit-time-idling resp: 

Proposition 4.2 Let P, Q G P be process terms and let E, E' C A^. 

1. If P Q and E' C E, then P Q- 

2. If P 4c Q and E' n A{P) = 0, then P Q. 

3. P 4c Q iff P 4c Q and Vaei;u{r} 7^(a, P) = I, i.e. P 4c Q iff P 4^ Q. ■ 

Combining time steps and occurrence of actions, we now define refusal traces 

of processes, which refine the discrete language due to l4l2l 3 (part 2). 

Definition 4.3 Let P, P' G P be processes. We write P -^r P^ if either 
e = a G A^t and P P', or £ = A C and P 4c P'. For sequences w, we 
define P 4c P' and P 4c P' analogously to 121 1 1 )l Then RTc(P) = {w\P 4c} 
is the set of r-refusal traees of P, and the set RT(P) = {w\P 4cj are the refusal 
traces of P. Functions act(w) and (l{w) are extended to elements from RTc(P) 
and RT(P), i.e. f{w) is the number of time steps (sets) in w. m 
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As for discrete traces, we note that P is closed under performance of refusal 
traces, i.e. P G V and P P' for some w G RT,-(P) implies P' gV again. 

Theorem 4.4 RT(P) C RT(Q) implies DL(P) C DL(Q) for P,Q GV. ■ 

In order to see that RT-inclusion is strictly finer than DL-inclusion, consider 
for example the processes P and Q from the end of Section 0 again: we have 
DL(P) C DL(Q) but there is e.g. A^{6} S RT(P) \ RT(Q). 

The information on temporal and nondeterministic behaviour of a process 
provided by refusal traces is quite similar to the one e.g. contained in the ‘barbs’ 
of TPL (see I11K95I : more precisely, the resulting preorders are quite similar). 
Remarkably, we will be able to observe this information with asynchronous - 

i.e. weak - test processes. A notable difference between the settings is that only 
in our setting an action can be both activated and refusable at the same time: 

consider a.P with a G A{P) and a.P a.P as an example. 

From now on we denote refusal-trace-inclusion and -equivalence also by <r, 
=r resp. and lift these relations to process terms as usual via closed substitutions: 

Definition 4.5 Let P,Q G V. We write P <r Q ii for all closed substitutions 
5 : A I— > P where [P]^, [QJs G P we have RT([P] 5 ) C RTQQ]^). We write 
P =r Q ii P <r Q and Q <r P- ■ 

The following developments are concerned with (pre)congruence properties of 
refusal-trace-equivalence (-inclusion). We note that all these also hold for RT,-- 
semantics; this will be important when deriving the precongruence property 
of RT-inclusion w.r.t. recursion. We first show that refusal-trace-inclusion (in 
contrast to DL-inclusion) is a precongruence for parallel composition: 

Theorem 4.6 Let u,v G (A^t U 2^ )* and A C A; then u\\av is the set of all 
w G {A^t U 2^ )* such that u = u\ . . . Un, v = vi . . . Vn, w = w\ . . .Wn for some 
n and for all k = 1, ... ,n one of the following cases applies: 

1. Uk = Vk = Wk = a G A 

2. Uk = Wk = a G \ A and Vk = X 

3. Vk = Wk = a G Aai \ A and Uk = X 

d. Uk XJ.li ^ A^^ , Vk XJy C , 

Wk = XJ C and A C (A n {Eu U A„)) U ((A„ n A„) \ A) 

For sets Pi, P 2 C (A,jr U 2^ )* we define Ri\\aR 2 = U | G Pi, v G P 2 }. 

Then for processes Pi,P 2 G P, we have RT(PimP 2 ) = RT(Pi)|ART(P 2 ). In 
particular, RT-inclusion is a precongruence for parallel composition. ■ 

We now show that refusal-trace-inclusion is also a precongruence for prefix, 
relabeling and hiding; these results are needed for the characterization. 

Theorem 4.7 Let P C (A,jt U 2^ )*, a G A,, and let 

1. a.P be the set of prefixes of 

{El . . . EnU I n G No, Ai C A.J, E 2 , . . . , En C \ {a}} o P, 

2. a.P be the set of prefixes of [Ei . . . EnU | n G No, Ei , . . . , C A.^ \{a}}oP, 

3. r.P = [E, A I A C A.J } o P, 

4. t.R = R. 
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Then RT(a.P) = a.RT(P) and RT(a.P) = a.RT(P) for P S Pi and a G A^r- 
Moreover, RT-inclusion is a precongruence for prefixing of (initial) processes. ■ 

Theorem 4.8 Let ^ be a general relabeling function, a G A^t, ^ ^ A^ and 
define a[<A\~^ = and — 1 {r}) \ {t}}; we extend [A\~^ 

to sequences w G U 2^)* via concatenation o, where we additionally let 
A[cZ.]-i=^>-i(r)\{r}. 

Then for a process P £ P we have RT(P[<?]) = {w € (A,^ U 2^)* | n 

RT(P) A &}■ Moreover, RT-inclusion is a precongruence for general relabeling 
P[^] of processes, hence also for relabeling and hiding. ■ 

A further property needed for the characterization of □ is that 0 is a zero 
element for both choice and parallel composition without synchronization: 

Proposition 4.9 Let P G P. Then P ||0 0 =,r P and P -f 0 =,r P- ■ 

Finally, we state that refusal traces can always be extended by a time step 
(after performing all urgent internal activity) and that time steps can be omitted: 

Proposition 4.10 Let P G P, let w, w' G {A^ U 2^ )* and let A C . 

1. w G RT(P) if and only if w0 G RT(P). 

2. wEw' G RT(P) implies ww' G RT(P). ■ 

We now have gathered all elements for characterizing the efficiency preorder, 
which is our second main result: 

Theorem 4.11 Let Pi, P 2 G Pi be testable. Then Pi □ P 2 iff Pi <r P 2 . 
Proof: (sketch) 

’if’: Let (0,D) be a timed test. Then RT(Pi) C RT(P 2 ) implies DL(t.Pi||aO) C 
DL(t.P 2 ||aO) by EE 001 and imi Thus, if Pi fails the test due to some wi G 
DL(r.PijlAO), then so does P 2 . 

’only if’: We assume Pi □ P 2 and take some wi G RT(Pi). Then all actions in 
wi are in i{Pi) U^(P 2 ) bv 14181 rifil .l and 1811 11 Furthermore, bv I4I21 1 and 032 
and A{P) C £{P), we may assume that for all refusal sets S in w\ we have S C 
i{P\) U£(P 2 ), which is finite due to ldllll Now let w = A if wi = A and w = w\% 
otherwise; then also w G RT(Pi) bv I4H0I 1. Furthermore, Sw G RT(r. Pi) for 
each A C £(Pi) U £(P 2 ) bv hl7L 3 ; we will only consider the case A = 0 . 

We will construct a timed test (O^w, CM) t^^^t is failed by a testable process 
P G Pi if and only if Aw G RT(r.P). Hence, Pi fails ((i/j)), thus by 

assumption P 2 fails CM), too, and we conclude Sw G RT(r.P 2 ). But 

then Swi G RT(r.P 2 ) bv 1411 m l and wi G RT(P 2 ) or Awi G RT(P 2 ) bv 14171 ,8. 
i.e. wi G RT(P 2 ) by Proposition 1411 1)1 2. and we are done. 

Here, we give the inductive construction of and then only describe infor- 
mally the function and the interplay of its parts. To make induction work, we 
define Osw for sequences Uw that end with 0 but may start with an arbitrary 
A C £(Pi) U £{P 2 )- Furthermore, all actions of Sw are in £{P\) U £{P 2 ) and all 
refusal sets are subsets of £{P\) U£(P 2 ). Osw will consist of several components 
that communicate via synchronized actions which must not occur in the sort 
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of Pi or P 2 . Hence, let H = {bo, co,b\,ci, . . .} C A be an infinite set such that 
Hf]{i{Pi)\Jt{P 2 )) = 0; H exists since £{Pi) and £{P 2 ) are finite and A is infinite. 

We first let Tsw = Qew ||h S'!:!!. \\h Rsw with Rsw = (-^Ew II 0 c,^(™)- 0) and the 
components Qew, Ssw and X^w are defined inductively as follows, where in the 
base case Sw = 0 we let Qq = oj.O, £'0 = 0 and Xi^ = 0. Now let the general 
case be Siv = Ea\ . . . anX'w', where S'w' ends with 0. We define: 

Qew = {b^(w)-QE'w') II0 (c,^(™)-0 + OJ.O) 

Sew = E' w' 

Xew = ipC,(w)-^ E'w'') II0 (C(;(u,) — 1-0 + SxGX’' 

Finally, we let Osw = Tsw/H. 

The part Sai . . . a„ of Ew = Ea\ . . . anE'w' is called the C(tc)-th round of Ew, 
started by occurrence of E, whereas occurrence of E' marks the begin of the 
(C(w) — l)-th round. 

Qew is the ‘clock’-part of the test, which for each round i of Ew enables an lo 
that is urgent after the time step starting round i and can only be deactivated by 
performing the auxiliary action Ci {completion of round i) before the next time 
step. The ‘action-sequence ’-part Sew will ensure that Ci can only occur after 
performance of the action sequence ai . . . a„, which itself must be preceded by 
the auxiliary action bi {begin of round i). Furthermore, occurrence of bt triggers 
the activation of the ui for the next round by enabling Qe'w' ■ This must not 
happen too early, i.e. bi and hence Ci will be performed after the time step 
starting round i and before the next one. At the beginning of the present round, 
the ‘refusal-set’-part Xew enables all actions x from the refusal set E' of the 
following round in conflict with the auxiliary action Cj_i which has to occur 
only at completion of the following round. After the time-step of the present 
round, all x from E' have become urgent, but may not occur - i.e. must be 
refusable by the tested process at the time-step starting the following round. 
Finally, Xew is augmented to Rew for proof-technical reasons, Tew puts all 
three parts via synchronization together, and Oew hides the auxiliary actions 
away. Otherwise, they would have to synchronize with the tested process, which 
is of course impossible by the definition of H. m 

5 Full Abstraction 

Refusal-trace-inclusion not only characterizes the efficiency preorder, but also 
makes just the necessary refinements to discrete behaviour of (initial) processes 
in order to gain a precongruence for parallel composition and prefix: 

Corollary 5.1 RT -semantics is fully abstract w.r.t. DL and parallel composi- 

tion and prefixing of initial processes, i.e. gives the coarsest congruence for initial 
processes and these operators that respects DL-equi valence. For process terms, 
<r is a precongruence for these operators, and also for hiding and relabeling. ■ 

As usual, RT-inclusion alone is not a precongruence for choice: e.g. we have 
0 <r T.O and r.O <r 0, but for a yf t, we have neither 0 -|- a.O <r t.O + a.O 
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(since 00a G RT(0 + a.O) \ RT(r.O + a.O)), nor r.O + a.O <r 0 + a.O (since 
{a}{a} € RT(r.0 + a.0)\RT(0 + a.0)). Thus, we also have to consider the (initial) 
stability of processes, where the example indicates that although we consider a 
preorder this additional condition is not an implication but an equivalence: 

Definition 5.2 A process P S P is stable if r ^ ^{P)- For process terms 
P, <5 S P we write P < Q ii for all 5 : A i— > P where [P]s, [QJs G P we have: 
RT([P] 5 ) C RT([Q] 5 ) (hence P <r Q) and additionally [P]s stable iff [Q]^ 
stable. We write P = Q if P < Q and Q < P. 

For n € N we write P <" Q if for all 5 : A P where [P]s, [QJs G P we have: 
V G RTt.([P] 5 ) and |u| < n implies v G RTt([Q] 5 )- We write P =" Q if P <" Q 
and Q P. We write P <r Q {P =r Q) if <" Q {P Q). m 

The class of RT,--inclusions (<”) will support an approximation technique 
when treating recursion later on. The following two results yield that we have 
defined < adequately in order to gain the coarsest precongrence w.r.t. choice 
that respects RT-inclusion, hence the efficiency preorder: 

Theorem 5.3 Let P C P^ or P C Pq and P = {Pi \ i G /} for some fi- 
nite /, hence '^i^j Pi G P. For each n G Nq let RT"(P) = {Ei...EnW G 
Ue/ RT(P,) I El . . .Sn G PliG/ RF(Pi), Aj C , re does not start with a set}. 
Finally, let P = V,, r Pi and let / = SUS, such that Pi is stable iff f G S'. 

1. If S = /, then RT(P) = U„eNo RT"(P). 

2. If S A ^ and P G Po, then RT(P) = IJ.gs RT(A) U RT°(P). 

3. If S A ^ and P G Pi, then RT(P) = RT(F’*) U RT°(P) U RT^(P). ■ 

Theorem 5.4 Both <r and < are precongruences for parallel composition, 
prefixing, hiding and relabeling and choice of process terms, and <r is strictly 
finer than <. For initial processes, < is fully abstract w.r.t. choice and <r- ■ 

One might argue that the constructions in l5l3l reauire more information than 
provided by < in order to gain the refusal traces of a sum from the refusal traces 
of its components: additionally to the stability of the components we have to 
know whether they are initial or urgent in order to choose correctly from cases 
2 and 3. We only indicate here that this information is indeed provided by RT- 
semantics: if there is no stable component, then cases 2 and 3 coincide, hence 
assume Pi to be a stable component; if A{Pi) = 0 then it can be omitted from 
the sum, hence assume A{Pi) A 0; then P^ G Pq U Pi implies that G RT(Pi) 
if and only if Pi G Pi. 

We finally aim to show that < is also a precongruence for (guarded) recursion. 
Following pEHHI, we consider (initial) process terms as functions in the domain 
of (r-)refusal-traces and will exploit their monotonicity w.r.t. < and <r, which 
essentially results from 10141 

Definition 5.5 For closed substitutions 5, 5' : A P we write 5 < 5' if 
5(A) < 5'(A) for all A G A, and 5 5' if 5(A) 5'(A) for all A G A. 

An initial process term P G Pi is monotonic, if [P]s < [F*] 5 ' whenever 5 < 5' 
for any closed initial substitutions S,S' : A Pi. r- monotonicity is defined 
analogously with <r instead of <. 
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For each n G N, X £ X and P G Pi let denote the initial process term 
defined inductively by = P and Px^^ = P{Px/^} = ■ 

Now RTrifiX.P) is a fixpoint of the RTT--function defined by the initial pro- 
cess term P, and r-monotonicity of this function carries over to its iterated 
applications, where the guardedness of X allows us even to ignore up to a cer- 
tain degree the relation of the arguments for X : 

Lemma 5.6 Let P G Pi be a r-monotonic initial process term and let AT G X 
be guarded in P. Furthermore, let Si,S 2 : X i-^- Pi be closed initial substitutions 
with S'i(X) <r S 2 {Y) for all Y ^ X. Then for all n G N: 

1. ^iX.P =r P^{fJ.X.P/X}. 

2 . [P^]s, <- [P^W 

We now can derive the precongruence property for r-monotonic and mono- 
tonic initial process terms, where we use the fact that for all refusal traces 
w G RT(^X.P) there is an underlying r-refusal trace v G RTr{fJ.X.P), such that 
w = v/t and |i;| < n for some n G N: 

Proposition 5.7 Let P, Q G Pi be initial process terms that are both r- 
monotonic and monotonic, and let Ai G X be guarded in both P and Q. 

1. P <T Q implies fiX.P <r fiX.Q. 

2. P < Q implies ^X.P < ^X.Q. m 

Showing the r-monotonicity and monotonicity of all initial process terms by 
induction on the term structure using E0 and EEl we end up with the result: 

Theorem 5.8 Both <r and < are precongruences for recursion. ■ 

We are currently working on an axiomatization of the <-preorder which turns 
out to be somewhat involved due to handling with both initial and urgent ac- 
tions; whereas basic axioms like a.P < a.r.P (but in general a.T.P ^ a.P) can 
be justified by our theorems quite straightforward, parallel composition with 
synchronization seems to require some more technical effort: we not only seek 
a semantically founded expansion law but a truly syntactic axiom which appar- 
ently requires the introduction of some auxilliary operator. Using our theorems 
we can already derive that r.a||{a}r.a is strictly faster than r.r.a] this is in ac- 
cordance with our intuition, where we expect the simultaneous execution of two 
independent actions to be faster than their sequentialisation. 

6 Related Work 

In the literature, several approaches to efficiency preorders have been proposed, 
from which only representative samples can be considered here. 

For untimed CCS-like terms, efficiency preorders based on testing have been 
investigated in ran and |NC96aj . and bisimulation-based ones in |AKH92| 
and jAKN95| : in all these approaches, efficiency is measured by counting internal 
actions, where runs of a parallel composition are seen to be the interleaved runs 
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of the components; consequently, in all cases, r.a||{aj.T.a is as efficient as r.r.a, 
in contrast to the above result in our setting. 

TPL is a CCS-based discretely timed process algebra developed in |HL!95| . 
where systems are also related via a must-testing approach. In |N( 196b| . the 
resulting preorder is interpreted as to relate systems w.r.t. their temporal and 
functional ‘predictability’ rather than efficiency. Systems in TPL can be consid- 
ered as synchronous, since maximal progress is forced in test application. This 
gives the test environment more direct control over the temporal behaviour than 
in our setting. As a consequence, no time bounds are needed for tests; rather, 
these can be build in the test itself. TPL can also be seen as a discrete part of 
the continuously timed process algebra TimedCSP (cf. ISchDbi L where e.g. the 
discrete unit delay a is replaced by WAIT 1 constructs. 

In the discretely timed algebra ^TCCS of IMISH, components may have 
arbitrary relative speeds, but there is no progress assumption at all and the 
efficiency preorder is based on a sort of bisimulation; an interpretation in terms 
of worst-case behaviour is not obvious. !C(IP97j gives a different bisimulation 
based approach, where component speeds are fixed with respect to local clocks 
(modulo patience for communication in USSHI) . Here, the operational semantics 
realizes local passage of time, hence this idea is hard to compare to our or any 
other approach. 

The idea of associating time intervals to actions in distributed systems can 
be found e.g. in jMP7b| and - in a process algebraic setting - e.g. in jZic94j : the 
latter is (what is sometimes called) a ‘soft-real-time’ approach, where time can 
exceed the upper time bound of an action, which disables this action; this is in 
contrast to our approach where actions are persistent. 

|Hiir92| discusses how (the more realistic) continuously timed behaviour can 
be approximated with discretely timed behaviour; the aim is to ensure that 
each implementation in the discrete view is indeed an implementation in the 
continuous view (but not necessarily vice versa) . There is no result showing that 
discrete time gives complete information as in our setting. 
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Abstract. Program compilation can be formally defined as a sequence 
of equivalence-preserving transformations, or refinements, from high- 
level language programs to assembler code. Recent models also incor- 
porate timing properties, but the resulting formalisms are prohibitively 
complex. Here we take advantage of a new, simple model of real-time 
refinement to present a straightforward formalism for compilation that 
incorporates real-time constraints. 



1 Introduction 

Compiler correctness is a significant concern for developers of safety-critical sys- 
tems. In an attempt to improve confidence in compiler quality, numerous at- 
tempts have been made to represent code generation as a formal transformation, 
or refinement, process mum- This has proven to be surprisingly challeng- 
ing, and the results disappointingly complex. Since many safety-critical systems 
have strict timing constraints, some models also add the concept of time to the 
formalism, thus increasing this complexity even further [nm. 

A significant disadvantage of these formalisms is that they differ markedly 
from the widely-known refinement calculus defined by Morgan m Recently, 
however, Hayes and Utting proposed a real-time formalism for sequential, imper- 
ative programs that presents a modest increment on the established calculus m 
Furthermore, we have already shown that, with care, the standard refinement 
calculus can be used to model compiler code generation |15I4I . The goal of this 
paper, therefore, is to combine these two outcomes to produce a simple refine- 
ment formalism for representing compilation of programs with hard real-time 
constraints. 

2 Languages 

In this section we describe the modelling, source and target languages used for 
defining our real-time compilation formalism. To support a refinement calculus, 
both the source and target languages must be well-defined subsets of the overall 
modelling language. 
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2.1 Real-Time Refinement Calculus 

Here we review a simplified variant of the real-time refinement calculus 
which will form the modelling language for our real-time compilation formalism. 

As usual, the calculus operates on a wide-spectrum language, allowing ab- 
stract specifications and concrete statements to coexist. The concrete language 
is Dijkstra’s guarded command language with statements for assignment 
sequential composition (;), alternation (if • • • fi), iteration (do • • • od), and vari- 
able (var) and logical constant (con) declarations. Unrefined code segments are 
defined via specification statements 



v: [P , Q] 

consisting of a frame v, which lists those variables that the statement may 
change, a precondition P, which defines the assumed pre-state, and a postcondi- 
tion Q, which defines the required post-state. If the precondition is ‘true’ it may 
be omitted. A specification with empty frame and postcondition ‘true’ is writ- 
ten as an assumption {P}. A specification with empty frame and precondition 
‘true’ is written as a coercion [Q]. The refinement relation C then defines valid 
transformations from specification to concrete statements as those that preserve 
the desired properties, while possibly adding more or decreasing nondetermin- 
ism |T^. 

From its user’s perspective, the real-time calculus H2! extends the familiar, 
untimed refinement calculus m in two significant ways. 

1. There is a distinguished specification variable t denoting the current time. 

It is of type T, which represents the time domain. 

2. Other variables are divided into three classes. 

(a) Local variables v cannot be observed outside the block in which they are 
declared. A local variable must appear in the frame of a specification 
statement if that statement is to change it, and it may appear in zero- 
subscripted form in a postcondition to represent its initial value m- 

(b) Input variables u are controlled by some process outside the current 
program segment. An input variable may not appear in the frame of a 
specification statement, nor in zero-subscripted form. Each appearance 
of an input variable in a pre or postcondition must be indexed by a 
time-valued expression to yield the value of the input at that time. 

(c) Output variables w are controlled by the current program segment. An 
output variable may not appear in the frame of a specification state- 
ment, nor in zero-subscripted form, and must be indexed in pre and 
postconditions to describe its value at that time. 

Formally, input and output variables actually denote functions from the time 
domain. They trace the entire history of interactions with the current program 
segment. Each consecutive statement in a program fragment accesses, or con- 
strains, a distinct segment of these timed traces m- 
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2.2 Real-Time Programming Language 

Here we define the source language for our compilation formalism. It consists 
of a small, imperative programming language with special real-time statements. 
Figure El shows the correspondence between programming language statements 
and their underlying modelling language definitions P3- Here 5 is a high-level 
language statement, E an arbitrary expression, B a boolean expression, and D 
a time-valued expression. Importantly, B, E and D may refer to local variables 
only. Predicate P may refer to any variable, including the current time r. 



V : = E 

Si ; 52 

if B then 

51 
else 

52 

end if 

while B loop 
5 

end loop 

read(w, v) 
write (w,E) 
delay until E 
gettime(?;) 
deadline E 
assume P 



T, v: [tq ^ T A V = Eq A stable{w, tq, r)] 
5i;52 

if B — > idle ; 5i ; idle 
I ^ B ^ idle ; S 2 ; idle 
fi 



do 

B — + idle ; 5 ; idle 

od; 

idle 

T, v: [stable{w, tq,t) A {3 t : T • tq ^ t ^ t A v = M(t))] 
r: [tq ^ T A w{t) = E A stable{w \ {w},To,r)] 
r: [B ^ r A stable {w 
T, v: [tq ^ V ^ T A stable{w, tq, t)] 

:[t^E] 

: [P , true] 



Fig. 1. Definition of high-level programming language statements. 



The assignment statement ‘ : =’ definition tells us that the assignment may 
change local variable v, and will finish with v equal to the value of expression E 
evaluated at the time the statement began. Here Eq is expression E with all local 
variables it contains subscripted by 0. The definition also says that the current 
time T may change, but that its final value must be no less than the starting 
time Tq. The stable predicate applies to the list w of all output variables visible 
at this point in the program. It is defined as follows. 



stable{x, a,b) = x{t) = x{a) 
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In other words, given a list of timed-trace variables i, and two times a and b, then 
stable states that these variables remain unchanged throughout this interval. 
(Even though the assignment statement does not act on the output variables w, 
the semantics of the timed refinement calculus require us to explicitly state 
the behaviour of each timed-trace variable in all time intervals M-) We allow 
assignment to be generalised to multiple assignment in the usual way m- 

Sequential composition ‘ ; ’ does not consume time, so its definition is the 
standard one. 

In the if statement definition, statement is selected if B is true, and S2 
is selected if B is false, as one would expect. An unusual feature, however, are 
the idle statements. This auxiliary statement is defined as one that may change 
the time, but leaves high-level language variables unaffected. 

idle = T:[To^TAstable{w,To,T)] 

It is used whenever we want to state that time may pass due to low-level actions 
that are not visible to the high-level program H2|. The idle preceding statement 

for instance, models the time required to evaluate expression B and branch 
to this statement. The idle following statement models the time required to 
branch past the second alternative once the first has been executed. Similarly 
for the idle statements before and after statement 82- 

The definition of the iterative while statement follows in the same vein. The 
idle before statement S represents the time required to evaluate expression B 
and reach statement S, and the idle after S represents the time required to 
branch back to the top of the loop. The idle statement following the do loop 
accounts for the time required to evaluate B for the last time, when it is false, 
and exit the loop. 

The read statement takes a value from input variable u and places it in local 
variable v. Its definition states that it leaves all output variables w unchanged, 
and that the final value of v will equal the value of u at time t, where t occurs 
between the starting tq and finishing r times of the statement. We do not know 
exactly when the input will be sampled during the execution of the statement. 

The write statement takes the value of an expression E involving local vari- 
ables and sends it to output variable w. Apart from possibly consuming time, it 
has the effect of leaving the final value of the output variable, i.e., w{t), equal 
to the value of expression E. The definition also states that all other output 
variables are unchanged. While the write statement is executing, the value of 
output variable w is unspecified. 

The delay until statement stops progress of the program until at least 
time D. Its definition merely says that the finishing time r may be no less 
than D, and that all output variables w are unchanged. 

The gettime statement reads the current time into a local variable v. Its 
definition states that the final value of v will be somewhere between the starting 
and finishing times of the statement itself, and that the output variables are 
unchanged. 

So far, none of the definitions has placed any bound on how long each state- 
ment may take to execute. To allow for this, a striking feature of the real-time 
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refinement calculus is a special deadline statement added to the programming 
language to allow such bounds to be expressed m- A deadline statement with 
argument D requires the program to reach the point in the code where the state- 
ment appears by time D. The definition requires that the current time r must 
be no greater than D. However, since t may not be changed by the deadline 
statement itself (the frame is empty), it is formally a constraint on the preceding 
statement to achieve this effect m- A deadline statement is not executable, 
but represents a compile-time requirement to prove that the program has this 
desired timing property. Such proofs are possible for sequential programs using 
static analysis techniques |5]. This method of introducing timing requirements 
to a program is an important advance because it is machine-independent and 
allows the functional and timing constraints on programs to be kept distinct HH. 

The programmer may also use the assume statement to document conditions 
that are expected to be true at a certain point in the program, including time- 
dependent properties m- 

The frames of both the deadline and assume statements are empty, reflecting 
the fact that they do not change any high-level language variables. They could 
be written as a coercion and an assumption, respectively. Nevertheless, we shall 
see below that our intermediate language model adds new variables to the frame 
of each statement. In doing so it is convenient to treat the deadline and assume 
statements in the same way as other statements, so in Figure Q we leave their 
empty frames explicit. 



declare var v 
declare con c 
declare input u 

declare output w 



T begin S end 
T begin S end 
T begin S end 

T begin S end 



I [var V : T • idle ; S ; idle] | 

I [con c : T • 5] I 

Add variable u of type T ^ T 

to input variable list u in aS 

Add variable w of type T — > T 
to output variable list w in aS 



Fig. 2. High-level programming language declarations. 



As shown in Figure E] it is also important to consider the effect of timing 
concerns on declarations. When declaring a local high-level language variable v, 
of type T, its definition must account for the time required to allocate space 
for this variable when the block is entered, and deallocate this space when the 
block is left m- This is done by adding two idle statements. The declaration 
of a compile-time constant c, however, does not consume run time, so does not 
need special treatment. 

We have already noted that each input variable u and output variable w is 
modelled as a function over the time domain. Therefore, when such a variable 
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is declared with type T, it is semantically interpreted to be a function of type 
T ^ T P21- Once declared, such variables may be used in statement S. This is 
noted here by adding them to the alphabet aS of state variables known to 5 

2.3 Real-Time Intermediate Language 

Here we define a target language for the compilation process. It is an interme- 
diate representation language, close to, but more abstract than, the final ma- 
chine code 1^. This approach supports machine-independent definitions 1 81221 . 
In particular, instruction addresses are handled symbolically, and a simple stack- 
machine model is used HZ!, rather than anticipating a particular register set. 



Idi^ i 
Idtui d 

stiui V 

add^ 

subuj 

jmp£ 
fjPuj £ 



evi^ E 
evbu, B 
evt^ D 
alL s 
dalui s 
tiuio; 

sdiu, w 



pe, st \ = u!,st^ (i) 
pe, st : = u!, st ^ (i?T(d)) 

{#st ^ 1} ; pc, st,v : = uj,fr{st), lt{st) 

{#st ^ 2} ; pc, st : = w,/r2(st) {lt{st) lt2{st)) 

^ 2} ; pc, st : = w,/r2(s<) {U2{st) — lt{st)) 

{#st ^ 2} ; pc, st : = ui^fr2{st) ^ {max{lt2{st) — lt{st) 1, 0}) 

pe : = £ 

{#st ^ 1} ; if It(st) = 0 ^ pc,st : = £,fr(st) 

1 lt{st)^0^pe,st : = ujjr{st) 

fi 

pc, st : = uj, st ^ (E) 
pc, st : = uj, st ^ {Rb{B)) 
pc, st : = uj, st ^ (Rt{D)) 
my : = my U {s} 
my :=my\ {s} 

pc, st: [pc = u! A stahle{w, tq, t) A 

(3t :T • To ^ t ^ T A st = sto'~' (i?T(0))] 

pc, st: y^st ^ 1 , pc = to A stahle{w \ {w}, tq, t) A 
st = fr{sto) A w{t) = lt{sto)] 



Fig. 3. Intermediate language instruction definitions. 



The target intermediate language is a distinguished subset of the modelling 
notation. Firstly, we consider individual instructions jznig. Each instruction is 
represented by updates to machine-level constructs as shown by the selection of 
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instructions in FigureEl Importantly, the assignment statements in Figure|2|are 
“timed” assignments of the form defined in Figured so that time may pass while 
an instruction executes. Here, i is an integer-valued constant or variable name, 
d is a time-valued constant or variable name, w is a local high-level language 
variable of type integer, w is a high-level language integer output variable, £ and 
uj are instruction-memory locations, E is an integer-valued high-level language 
expression, B is a boolean-valued high-level language expression, B is a time- 
valued high-level language expression, and s is a string corresponding to the 
name of a high-level language variable. 

The low-level constructs introduced are as follows. 

• A program counter pc is used for control flow of the low-level program. It is 
of type A, denoting the set of memory addresses. 

• A data stack st is used to hold temporary values. It is a sequence of integers, 
i.e., type ‘seqZ’. Let (d, * 2 , • ■ •) represent a sequence, operator concate- 
nate two sequences, operator fr return the front of a sequence, i.e., all but 
the last element, operator fr2 return all but the last two elements, operator 
It return the last element of a sequence, and operator lt2 return the second 
last element. When non-integer values are stored on the stack they must be 
translated into an appropriate integer representation. For each type T, we 
assume an appropriate representation relation Rt, of type T — > Z, which 
achieves the necessary translation 1231 , and preserves any essential algebraic 
properties of the original type. 

• A ‘memory’ variable my is used to keep track of those high-level language 
variables which will ultimately be stored in main memory. Here it is merely 
a set containing the names of variables currently in scope, where names are 
represented by character strings from set §. At this level of abstraction we 
continue to use high-level language variables as our ‘storage medium’. (This 
has the advantage that their type declarations are available to us during the 
refinement m-) Ultimately, however, these variables will be ‘refined away’ 
and their role taken by elements in a memory array. In this paper, variable 
my is a first step towards this. 

The load-integer instruction Idi loads integer value i onto the stack st. Exe- 
cuting the instruction also changes the program counter pe. Since instructions at 
the intermediate level have yet to be assigned to specific addresses in memory, 
the symbolic address to of the following instruction is provided as a subscripted 
parameter to each instruction’s definition. The load-time instruction Idt does the 
same thing for a time value d; it uses the representation relation Rj to translate 
time d to an appropriate integer representation so that it can be stored on the 
stack. 

The store-integer instruction sti takes the last value from the stack and stores 
it in high-level language variable v. The definition is protected by an assertion 
that the stack contains at least one element — otherwise the instruction’s be- 
haviour would be undefined. 

The add and subtract instructions, add and sub, respectively add and sub- 
tract the last two elements on the stack, destroying these operands, and leaving 
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the result on the stack. Both require the stack to initially contain at least two 
elements. 

The less-or-equal instruction leq compares the last two stack elements, re- 
turning ‘true’ only if the last element is less than or equal to the second last one. 
We follow the tradition of encoding ‘false’ by 0 and allowing any other number 
to represent ‘true ’ ESI §7.3.3]. Expression U2{st) — lt{st) + 1 will be positive only 
if inequality lt2{st) ^ lt{st) is true, otherwise the max operator ensures that the 
result is 0. 

The jump instruction jmp unconditionally changes the program counter to 
address The jump-if-false instruction fjp does so only if the last value on the 
stack is ‘false’, otherwise it just advances to the next location cj. 

All of these instructions can be translated easily into equivalent machine code. 
However, the intermediate language’s evaluate-integer-expression instruction evi 
denotes evaluation of a high-level language expression E, with the result left on 
the stack. It is a very useful modelling aid, but needs to be decomposed into 
more primitive instructions before machine code generation is possible. The evh 
and evt instructions do the same thing for boolean and time- valued expressions, 
respectively. 

The allocate and deallocate instructions, all and dal, manipulate the memory 
variable my in order to keep track of which variable names are currently in scope. 
Here s is the name of a variable which is respectively added to and removed from 
the my set. (In subsequent refinements, these instructions would be replaced with 
operations on a more complicated my data structure representing the run-time 
heap.) 

The final two instructions cannot be represented by assignments because their 
definitions must refer to the current time. They are therefore both expressed as 
specification statements so that they can access the special time variable r. The 
read-time instruction tim reads the current (hardware clock) time and places it 
on the stack. Its predicate says that it updates the program counter pc and leaves 
all output variables w unchanged. It also adds a time value t to the stack, where 
t is some time between the starting tq and finishing r times of the instruction. 
Relation Rj is used to convert the time to an integer representation. 

The send-integer instruction sdi sends the value on the top of the stack to 
output variable w, representing a hardware output port. Its precondition requires 
the stack to contain at least one element. Its postcondition updates the program 
counter, leaves all output variables other than w unchanged, pops the stack, 
and ensures that w equals the value from the top of the stack by the time the 
instruction finishes. 

The intermediate language model is completed by providing a way of con- 
structing target programs from the individual instructions introduced above. 
This requires both a way of labelling instructions with their (symbolic) loca- 
tions, and of linking lists of instructions together, despite the presence of jump 
instructions which may mean that instructions are not executed in their textual 
order. 
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Firstly, we allow any statement S in our modelling language to be labelled 
by an instruction memory location i. 

i:S = {pc = £}-,S 

Thus a label states that we assume the program counter equals £ when state- 
ment S begins. 

A symmetric operator allows us to express the intention that statement S 
must leave the program counter equal to £ when it terminates. 

S l£ = S [pc = £] 

This is a coercion, forcing S to terminate with an appropriate program counter 
value. (The definition assumes that pc is in the alphabet of statement S.) 

Lastly, we define the meaning of vertically-displayed lists of labelled instruc- 
tions, allowing for the fact that jumps may mean that the instructions are not 
necessarily executed in their order of appearance, but are actually controlled by 
the program counter. 

„ „ do pc = ^ 5i 

/ = \pc = £2^ S 2 

This generalises to an arbitrary number of statements in the obvious way. In 
effect, the do statement acts as an interpreter for the list of labelled instructions, 
as controlled by the special variable pc. Execution of this imaginary loop does 
not itself consume time. All execution time overheads are accounted for in the 
individual instructions in Figure 0 Although each statement Si on the right 
is no longer explicitly labelled, it can still be treated as a labelled statement 
£i : Si when refined in the context of the enclosing loop construct, thanks to the 
preceding guard pc = £i. 

3 Compilation Laws 

Here we show a selection of refinement laws for compilation of real-time pro- 
grams. 

The first law is intended for use with a complete high-level language pro- 
gram S. It declares and initialises the new low-level variables. The program is 
assumed to be placed at location a and is required to leave the program counter 
pointing to location z. Whenever a law requires a ‘fresh’ address, we assume 
it is a constant from set A that has not been used previously. Let statement 
S' be statement S extended so that the new low-level variables are part of its 
alphabet, i.e., {pc, st, my} C aS', and list ^pc,st,my' is added to the frame of 
each statement within S. (Strictly speaking, this step is an example of data 
refinement [F)].l 
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Law 1 (Introduce low-level constructs) Let a and z be fresh addresses, and 
pc, st and my he fresh variable names. 

S C var pc : A:— a; 

st : seqJj := (); 
my : P§ := 0 • 
a-.S'iz 

The following laws show how typical high-level language statements, brack- 
eted by starting a and final z symbolic addresses, can be compiled to instruction 
lists, controlled by the program counter. Thanks to the way the real-time refine- 
ment calculus achieves a clean separation of timing and functional concerns ini, 
the laws are a straightforward representation of typical compilation strategies. 
Here E is an integer- valued high-level language expression, w is a high-level 
language variable of type integer, i? is a boolean-valued high-level language ex- 
pression, and each 5 is a high-level language statement. 

Law 2 (Compile integer assignment) Let b be a fresh address. 

a : {v : = E) I z C a : evii, E 

b : stiz V 

Law 3 (Compile sequence) Let b be a fresh address. 

a:{Si-,S 2 )lz C a: Si lb 
b:S2iz 



Law 4 (Compile choice) Let b to e be fresh addresses. 



a : {if B then 
else 

S2 

end if) J, z 



C a : evbh B 
b : fjp^ e 
c: Slid 
d : imp z 
e: S 2 I z 



Law 5 (Compile iteration) Let b to d be fresh addresses. 



a :( while B loop C 

5 

end loop) J, z 



a : evbb B 
b : fjp^ z 
c:Sid 
d : jmp a 



In the following law, string ‘w’ is used to represent the name of high-level 
language variable v, not its value. Here t is a high-level language variable, and 
T is its type. 
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Law 6 (Compile variable block) Let b and c be fresh addresses. 



a : ( declare 

var V : T 
begin 

S 

end) I 2 



C var V : T • 



(a : allb ‘v ’ 
b-.S[c 
c : dalz ‘v ’) 



On the right, the modelling language’s var operator declares a ‘logical’ version 
of variable v, equivalent to the programming language’s var declaration. For the 
purposes of this paper we use this modelling-language declaration to represent 
memory storage for the high-level language variable, but subsequent refinements 
will replace all occurrences of v with a particular data memory element. 

The law for compiling an integer output statement is similarly straightfor- 
ward. Here w is a high-level language output variable of type integer. 

Law 7 (Compile integer write) Let b be a fresh address. 



We can also easily define a law for compiling a delay statement into a busy 
wait. Here D is a time- valued high-level language expression. 

Law 8 (Compile delay until) Let b to d be fresh addresses. 



This is a rather inefficient compilation strategy since it re-evaluates the static 
expression D at every iteration, and thus unnecessarily increases the potential 
overrun of the delay, but is sufficient for the purposes of exposition. (A subtle 
consequence of our use of the integer less-or-equal instruction to compare times, 
is that we are assuming the representation relation i?T preserves the ordering of 
time constants.) 

For brevity, the above laws rely on the evi, evb and evt instructions to eval- 
uate high-level language expressions. The following laws mimic code generation 
strategies for expression evaluation 123 §7.3.2] and thus allow these instructions 
to be eliminated. Let E\ and E 2 be integer-valued expressions, i and j be integer 
constants or the names of integer-valued variables, D\ and D 2 be time-valued 
expressions, and d be a time constant or the name of a time-valued variable. 

Law 9 (Evaluate integer addition) Let b and c be fresh addresses. 



a : (write(w, E)) I z Q a : evif, E 

b : sdiz w 



a : (delay until D) I z Q a : tinib 

b : evtc D 



c : leq^ 
d : fjp^ a 



a : eviz (Ei -|- E 2 ) E a : evib E\ 



b : evic E 2 

c : addz 
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Law 10 (Evaluate time difference) Let b and c be fresh addresses. 



a : evtz (Di 



D2) E a : evtb Dx 
b : evtc D2 
c : subz 



Law 11 (Evaluate integer less or equal) Let b and c be fresh addresses. 

a : evbz {Ei ^ E2) E a : evi;, E2 
b : evic E\ 
c : leq^ 



Law 12 (Evaluate integer) 

a : eviz i a-. Idiz i 



Law 13 (Evaluate time) 



a : evtz d 'Q a-. Idtz d 

When the above refinement laws are repeatedly applied to a program seg- 
ment, they result in a nested set of labelled instruction lists. To eliminate this 
nesting, and achieve a program structure closer to the final machine code, the 
following law allows ‘inner’ statements to be moved to the ‘outer’ list. 

Law 14 (Flatten nested instruction lists) 

{pc yf c} ; (a : (51 ; [pc yf c]) C (a : ( 5 i ; [pc yf c]) 

b: {b:S2 b : S2 

c : S3)) c : S3) 

On the left is a list of two statements, where the second statement is itself a list. 
(This second statement is labelled by &, as is its first component — application of 
the preceding laws will always generate nested labels of this form.) The goal is 
to refine this to the single list shown on the right. Care must be taken, however, 
that the control flow of the program remains unaffected. To enforce this, two 
restrictions are introduced on the left to ensure that when the statement labelled 
c is moved to the outer list, it cannot be executed in situations where it could 
not have been previously. Firstly, an assumption states that the program counter 
must not initially equal the inner address c. Secondly, a coercion is used to ensure 
that the outer statement labelled a does not leave the program counter equal 
to c. As long as these two conditions hold, we are free to move the inner statement 
labelled c as shown. (Moreover, the rules defined above always generate lists that 
obey these two constraints, so Law can be applied at any time, without the 
need to test these conditions.) This rule generalises readily to the case where 
there are multiple ‘inner’ and ‘outer’ statements. 
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4 Example 

As a concrete example, consider the high-level language program in Figure 0 It 
is a ‘transmitter’ intended to send a sequence of numbers from 1 to 10 via output 
port X. However it also has a strict timing requirement to satisfy the demands 
of a receiver program at the other end. The n**' number must be placed in 
the output buffer by at least time n, and must remain there for at least 0.8 
seconds. In Figure 0 this timing requirement is expressed by three special real- 
time statements. Firstly, an assumption states that the program is expected to 
be started by no later than time 0. If the program is started too late, it would be 
impossible to transmit the first value in time. Secondly, a deadline statement 
documents the requirement that writing the number must be completed by 
time n. This is a constraint on the write statement preceding this point in the 
program. Thirdly, the requirement that the output buffer remains undisturbed 
for at least 0.8 seconds is achieved by the delay until statement which prevents 
the program from proceeding, and possibly overwriting x, until 0.2 seconds before 
the (n-l-1)®* character is due to appear. (The expression is ‘n — 0.2’, not ‘n-l-0.8’, 
because n has been incremented.) 

Compilation of this program proceeds by mechanical application of the laws 
defined above, and other established program refinement principles As a 
first step the low-level variables are introduced and the outermost sequential 
composition operator is compiled. (We treat the output declaration implicitly 
here.) 



Program from Figure El fy ‘by Laws Q and 0 

var pc : A:— a; 

st : seqZ := (); 
my : P§ := 0 • 

(a : (assumer ^ 0) J, 6 
b : (declare var n ■ ■ ■ end) J, z) 

Next the block that declares integer variable n is compiled into instructions 
representing allocation and deallocation of memory space for the variable. 

Statement b C ‘by Law 0 
var n '.1 • 

(6 : allc ‘n’ 

c : (n : = 1 ; while • • • end loop) J, d 
d : dalz ‘n’) 

Another application of the sequential composition law partitions the body of 
the block into the initial assignment statement and the while loop. 

Statement c C ‘by Law 0 

c : {n :=1) I e 
e : (while • • • end loop) J, d 
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declare 

output X : integer 
begin 

assume r ^ 0; — Assumed starting time 

declare 

var n : integer 
begin 
n ; = 1 ; 

while n ^ 10 loop 
write(a;, n ) ; 

deadline(n) ; — Complete writing n**' value by time n 

n \ = n + 1\ 

delay until(n — 0.2) — Don’t overwrite value until time n + 0.8 

end loop 
end 
end 



Fig. 4. High-level language transmitter. 



Compilation of the assignment statement that initialises n to 1 is completed 
using two laws. 

Statement c Q ‘by Laws |2| and El 
c : Idif 1 
/ : stie n 

Compilation of the while loop also proceeds by straightforward application 
of the appropriate law. 

Statement e C ‘by Law0 

e : evbg (n ^ 10) 

9 ■ fjPhd 

h : (write • • • delay unti l(n - 0.2)) i i 
i : jmp e 

Evaluation of the boolean expression guarding the loop is also straightfor- 
ward. 

Statement e C ‘by Laws ^3 and El 
e : Idij 10 
j : Idik n 
k : leqg 

The four high-level language statements in the loop body can be formed into 
an ‘instruction’ list. (Clearly, the ability to mix high-level and low-level concepts 
is crucial in a compilation-as-refinement formalism.) 
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Statement h C ‘by Law 0 

h : write(a;, n) [ I 
I : deadline(n) | m 
m : {n := n + 1) | p 
p : delay until(n — 0.2) | i 

Compilation of the assignment statement that increments n again exercises 
the laws for assignment statements and expression evaluation. For readability, 
we also flatten the resulting nested lists. 

Statement m C ‘by Laws 0 121 [Ql and O’ 

m : Idiq n 

q : Mir 1 
r : adds 
s : stip n 

The statement that writes the value of variable n to output port x is compiled 
in two steps. 



Statement C ‘bv Laws 171 and IT^ 
h : Mit n 
t : sdii X 

The delay statement is compiled into a tight loop that waits for the time on 
the hardware clock to equal or exceed the delay expression. 

Statement p C ‘by Law0 
P ■ timu 

u : evt„ (n — 0.2) 

V : leq^ 

w: fjp^p 

Finally, the time- valued delay expression itself must be evaluated. 

Statement M C ‘by Laws [El and El 

u : Mto n 
0 : Mty 0.2 
y : suby 

At this point we have compiled all executable high-level language statements 
to a nested series of intermediate language instructions. Our formalised ‘compi- 
lation’ is completed by expanding the scope of the nested declaration for variable 
n, and applying Law to flatten the program structure. The resulting inter- 
mediate language program is shown in Figure 0 
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var 


pc : A: — 


a; 






st : seqZ 


:=(); 






my : P § : 


= 0; 






n : 7 j • 






(a : 


(assume r 


^0)lb 


— Assumed starting time 


b : 


allc ‘rt’ 




— Enter variable block 


c : 


Idif 1 




— Initialise n 


/: 


stie n 






e : 


Idij 10 




— Evaluate loop condition 


j ■ 


Idik n 






k : 


leqg 






9 ■ 


fjPh d 






h : 


Idit n 




— Write n to output port x 


t : 


sdii X 






1: 


deadline 


(n) 1 m 


— Reach here by time n 


m : 


Idiq n 




— Increment n 


q ■ 


Idir 1 






r : 


adds 






s : 


stip n 






P ■ 


tiniu 




— Delay until time n — 0.2 


u : 


Idto n 






0 : 


Idty 0.2 






y • 


suby 






V : 


ieqyy 






w : 


fjP^P 






i : 


jmp e 




— Return to top of loop 


d : 


dalz ‘n’) 




— Exit variable block 



Fig. 5. Compiled intermediate language code for transmitter. 

5 Translation to Machine Code 

The intermediate language program in Figure|51is not directly executable, but the 
steps required to translate such a program to executable machine code, or even to 
directly interpret it im, are well established in compiler technology. For instance, 
recent representations of particular machine instruction sets, like MIPS R3000, 
SPARC, Alpha or Intel Pentium Instructions within a unified model show 

how intermediate representations such as ours can be instantiated for specific 
architectures. 

1. Symbolic instruction locations must be instantiated with actual addresses. 
(In doing so, no addresses need be reserved for the non-executable assume 
and deadline instructions, since no machine code will be produced for 
them.) 
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2. Above we allowed high-level language variables to appear in load and store 
instructions. Ultimately, these must be replaced with the data memory ad- 
dresses corresponding to these variables, and instructions with appropriate 
addressing modes introduced to access them. Formally, this will involve data 
refinement of the my variable to a memory array structure whose elements 
can take on the role of the corresponding high-level language variables, fol- 
lowed by elimination of the now redundant high-level language variables 
themselves. Also the actions of the allocate and deallocate instructions, all 
and dal, must be extended to perform appropriate manipulation of the new 
memory data structure. 

3. The stack of integers used to hold temporary variables must be replaced 
by the particular set of registers available on the target machine. This may 
involve introducing code for spilling register contents to main memory |3j if 
the number of registers available is less than the maximum depth of the stack. 
Furthermore, the range of data values must be restricted to the particular 
word size of the target machine, and appropriate checks undertaken to ensure 
that arithmetic operations will not cause overflow. 

Since we started with a high-level language program with timing constraints, 
it is important to observe that these still appear in Figure 0 as non-executable 
assume and deadline instructions at locations a and i, respectively. Neither 
of these will generate machine code, so they will not occupy memory space. 
Symbolic locations a and b are synonyms, as are £ and m. Nevertheless, these 
statements represent undischarged proof obligations. We cannot remove them 
until flow-analysis and cycle-counting has been performed on the final machine 
code to guarantee that the stated timing requirements will always be met piTCj . 

6 Conclusion 

We have combined an existing compilation formalism j I dl4j with a new real-time 
refinement calculus to create a formal compilation model for real-time pro- 
grams. The approach avoided machine-specific detail by exploiting the real-time 
refinement calculus’ ability to express machine-independent timing constraints. 
Instead, a significant degree of abstraction was maintained by targeting an in- 
termediate, stack-machine representation, with embedded timing statements. 
The outcome was significantly simpler than previous real-time compilation for- 
malisms, and closer to already- familiar refinement methods. 
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Abstract. Stochastic process algebras such as PEPA provide ample 
support for the component-based construction of models. Tools compute 
the numerical solution of these models; however, the stochastic process 
algebra methodology lacks support for the specification and calculation 
of complex performance measures. This paper addresses that problem 
by presenting a performance specification language which supports high 
level reasoning about PEPA models, allowing the description of equilib- 
rium (steady-state) measures. The meaning of the specification language 
can be made formal by examining its foundations in a stochastic modal 
logic. A case-study is presented to illustrate the approach. 



1 Introduction 

Performance Evaluation Process Algebra (PEPA) |I] is an expressive formal 
language for modelling distributed computer and telecommunications systems. 
PEPA models are constructed by the composition of components which perform 
individual activities or cooperate on shared ones. To each activity is attached 
a stochastic estimate of the rate at which it may be performed. Using such a 
model, a system designer can determine whether a candidate design meets both 
the behavioural and the temporal requirements demanded of it. 

Stochastic process algebras such as PEPA provide ample support for the 
component-based construction of models. Robust tools such as the PEPA Work- 
bench [21 facilitate the numerical solution of these models when calculating the 
effective performance of the system under study. However, two important parts 
of the modelling process are at present insufficiently well supported: 

i) . the specification and checking of performance properties which are to be 

satisfied by a model; and 

ii) . the formulation and calculation of the complex performance measures which 

are to be derived from the model’s numerical solution. 

Without additional support for these parts of the modelling process there is a 
danger that the difficulty of checking correctness and calculating the performance 
measurements will discourage system designers from undertaking a quantitative 
analysis. If this were the case, the benefits which are to be gained from a thorough 
initial investigation of system correctness and responsiveness would be lost. 
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This paper presents the preliminary results of our attempts to remedy these 
omissions through the creation of a companion language for PEPA which sup- 
ports high-level reasoning about PEPA models and provides a suitably-tailored 
syntax for the description of performance measures over them. This language 
has foundations in a stochastic logic, the aim being to give a precise definition 
to specifications in terms of a well-understood theory. 

Simple models of a computer system can be constructed without explicit 
notational support. However, as computer systems become more complex so do 
their models and the use of a high-level language to aid in their expression be- 
comes necessary. Stochastic process algebras offer attractive features which were 
not available in previous performance modelling paradigms. The most important 
of these are compositionality, the ability to model a system as the interaction of 
subsystems, formality, giving a precise meaning to all terms in the language, and 
abstraction, the ability to build up complex models from detailed components, 
disregarding the details when it is appropriate to do so. Queueing networks of- 
fer compositionality but not formality; stochastic extensions of Petri nets offer 
formality but not compositionality; neither offer abstraction mechanisms. 

Markovian process algebras are enhanced with information about the dura- 
tion of activities and, via a race policy, their relative probabilities. Several such 
languages have appeared in the literature; these include PEPA P, TIPP [Sj 
and EMPA Essentially these all propose the same approach to performance 
modelling: a corresponding continuous time Markov chain (CTMC) is generated 
via a structured operational semantics; linear algebra can then be used to solve 
the model in terms of equilibrium behaviour. This behaviour is represented as a 
probability distribution over all the possible states of the model. 

This distribution is seldom the ultimate goal of performance analysis; instead 
the modeller is interested in performance measures which must be derived from 
this distribution via a reward structure defined over the CTMC p. A recent 
case study by first-time users of PEPA [0| reported that a significant proportion 
of the effort was spent in deriving the performance measures once steady state 
analysis was complete. 

Earlier work by Clark proposed the use of a modal logic to define the reward 
structure over a PEPA model 13 0 . While demonstrating feasibility, this work 
suffered from two major drawbacks. Firstly, the logic used did not include any 
representation of the timing aspects of PEPA and consequently does not have 
a clear relationship to the equivalence relations which have been established for 
the language, such as Markovian bisimulation (which is also called strong equiva- 
lence). Secondly, although the logic formalised an aspect of the PEPA modelling 
methodology which had previously been carried out in an ad hoc manner, it 
did so in a way which is inaccessible to system designers, the intended users 
of PEPA. In the current work we aim to address these problems by developing 
both a stochastic logic which takes full account of the random variables used to 
represent the duration of activities in PEPA and a model specification language 
designed to allow the modeller to express, in a high-level way, properties against 
which the model should be checked. 
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1.1 Structure of This Paper 

In the next section we give a succinct summary of the PEPA language and 
motivate the need for a formal notation for specifying the performance of a 
PEPA model. Since we provide only a brief summary of PEPA here, the reader 
should consult Q for full details. In Section 0we introduce a formal notation for 
describing performance measures. This will allow the modeller to make queries 
about the equilibrium behaviour of a PEPA model. A logical foundation for 
the specification notation is illustrated in Section g] where we reveal that the 
language has a particular relationship to probabilistic modal logic. In Section 0 
we illustrate our ideas with a simple, yet realistic, example. Finally, conclusions 
and future directions for the work are presented at the end of the paper. 

2 PEPA 

PEPA (Performance Evaluation Process Algebra) extends classical process al- 
gebra with the capacity to assign rates to activities, which are described in an 
abstract model of a system. It is a concise formal language with a small number 
of grammar rules which define the well-formed terms in the language. An ac- 
tivity of action type a performed at rate r preceding P is denoted by {a,r).P. 
Using the symbol T instead of a rate denotes passive participation in a shared 
activity. Choices are separated by -I-. Cooperation between P and Q over a set L 
of action types is P M Q or P || Q if L is empty. Hiding the activities in L and 
thus denying their availability for cooperation gives the term P/P. The notation 
for definitional equality is =. The syntax may be formally introduced by means 
of the following grammar: 

S ■.:= {a,r).S \ S + S \ Cg 

P ::= P [X]p I pjL I C 

where S denotes a sequential component and P denotes a model component 
which executes in parallel. C stands for a constant which denotes either a se- 
quential or a model component, as introduced in a definition. Cg stands for 
constants which denote sequential components. The effect of this syntactic sep- 
aration between these types of constants is to constrain legal PEPA components 
to be cooperations between sequential processes. PEPA is a high-level notation 
for Markov modelling because it is possible to generate directly from a PEPA 
model a continuous time Markov chain (CTMC) which faithfully encodes the 
temporal aspects of the PEPA model. 

One reason to fix on a formal notation for a task such as performance mod- 
elling is to avoid misunderstanding and misinterpretation of a model. Of course, 
even when a notation is carefully defined, as PEPA is, there may still be errors 
of misrepresentation of parts of the system within the model but all of the users 
of the model can at least agree on the correct interpretation of a given model 
through recourse to the formal definition of the language. However, when we 
come to undertake a careful consideration of properties of a model we see that 
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we now have a need for a formal notation for analysis of performance models 
expressed in PEPA. Without this, we would not be able to state performance 
measures precisely. 

It is our intention that each of these specifications should be expressed with 
reference to a PEPA model. This model is converted to an equivalent encoding 
as a CTMC for analysis. Different types of analysis of the Markov process may 
be performed, but for this work, we will require steady-state analysis. This is 
done through the compilation of the infinitesimal generator matrix of the Markov 
process and the solution of this by Gaussian elimination or another technique 
from linear algebra. This leads to a steady state probability vector, expressing for 
each state the long-run probability that the model will be found in that state. 
For many performance measures, a reward vector can be specified, associating 
particular rewards with particular states. The performance measure can be cal- 
culated by the simple scalar product of the probability and reward vectors. For 
example, if we are considering a lift system, utilisation can be calculated from a 
steady state analysis, by considering those states in which the lift is utilised to 
have a reward of 1, and otherwise 0. Timing measures, such as average waiting 
time, cannot be found directly in this way but can be calculated via an applica- 
tion of Little’s Law. However some performance measures cannot be calculated 
from the steady state information. For example, the percentage of lift requests 
satisfied in under two minutes requires a transient analysis, since we are not 
interested in long-run probabilities in this case. A preliminary notation for the 
expression of transient performance measures for PEPA models was given in |2|, 
but is not explored further here. 

In earlier work we have considered the problem of specifying reward struc- 
tures corresponding to PEPA models using a modal logic 0IBI However that 
logic ignored the stochastic elements of the model, namely the random variables 
used to specify activity durations. In this work we extend work on process logics 
into this exciting new area, and show links between an established probabilistic 
logic, and the specification language. 

3 A High-Level Notation for Steady State Properties 

Our objective is to design a high-level notation for expressing steady state prop- 
erties of a PEPA model. This should provide a straightforward means for the 
modeller to make quantitative queries about the behaviour of the model, without 
having to descend into the details of the state space or a reward structure. 

Clearly our language must be capable of expressing properties based on those 
performance measures which can be computed directly by steady state analy- 
sis. Typically we wish to know the probability that some condition holds. To 
express this we use a combination of standard mathematical notation, notation 
of equivalence relations from PEPA, and a new notation expressing the poten- 
tial to perform an action of a given type. The use of equivalence relations in 
this way can focus our queries directly on states, rather than actions. This is 
unusual within the process algebra literature where notions of state are gener- 
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ally abstracted, and where only potential actions are used to distinguish models. 
However in Markov processes there is no notion of actions, only states, and all 
views of the behaviour of a process are phrased in terms of the states it can visit. 
Stochastic process algebras sit between these two worlds and consequently it is 
important that our notation has the capabilities to express properties that seem 
natural within both. 

A state based property may mean that we wish to specify the probability 
that component P is in state P\ — in our notation this is expressed simply as: 
Pr(P = Pi). Such a specification is interpreted relative to a model in which P 
occurs and it succinctly describes the summation of the probabilities of the states 
of the system where sub-component P is in state Pi. To be pedantic, we should 
write Pr(P = Pi) if we intend to require P to be literally Pi and not just isomor- 
phic to Pi . Similarly, we would write Pr(P ~ Pi ) if we wished to denote the prob- 
ability that P is in a state which is Markovian bisimilar to Pi . These probabilities 
may then be used in further calculation such as r x Pr(P = Pi) and those re- 
sults used in comparisons as in r x Pr(P = Pi) > M. More complex descriptions 
of states may be expressed via logical operations as in Pr(P = Pi A Q = Qi) 
or Pr(P = Pi V P = P 2 ). For clarity, we may negate relational operators with 
Pr(P ^ Q) instead of Pr(^(P = Q)). 

PEPA allows the modeller to replicate components so that there may be, 
say, several copies of P in the system description. Thus, we introduce a notion 
of situation (or location) of a copy of a component within a PEPA model. It 
could be the case that the component of interest occurs as a sub-component of 
another which has only one instance. If so, we use dot notation to identify the 
sub-component. If not, we number the copies by following a pre-order traversal 
of the abstract syntax tree of the term. 

In order to describe properties in terms of the performance of activities we 
introduce a term for the probability that a type of activity is enabled. We use the 
notation Pr(o;|) for this, whenever the action type of the activity is a. Thus the 
interpretation of an activity name as a predicate is that the predicate is satisfied 
whenever the model is in a state S and there is both a state S' and a rate r such 
that S S' . A convenient extension to this notation is Pr(a | P), meaning that 
activity a could be performed by component P of the model. However, we shall 
regard these two forms of activity probability as simply convenient abbreviations 
for a much more complex predicate where the components are constrained (or 
a given component is constrained) to those states where they may perform an 
activity of action type a. The cases where the meanings of these two expressions 
would differ arise whenever the model is not PEPA live or not fully live [ 1 1 Ij . 
A fully live PEPA model is one such that, for each reachable state, and each 
syntactic occurrence of an activity within a sequential component, there exists 
another state which is reachable where this occurrence of the activity can be 
performed. For the remainder of this paper we restrict consideration to fully live 
models. 

We now have performance measure expressions e, probability terms r, pred- 
icates 4> and situations a. These are expressed in the syntax presented in Fig.^ 
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Fig. 1. Syntax of notation for steady state properties 



The characteristics of this notation are that it allows the modeller to inspect 
internal local states of model components and to consider the steady state prob- 
ability of attaining significant states of interest. Under the interpretation of 
activity probabilities as abbreviations for more complex predicates over states 
we may consider this notation to be entirely based on model states. 

4 A Logical Foundation for the Specification Language 

In this section, we illustrate how the specification language, introduced in Sec- 
tion 0 may be seen to have a formal underpinning, in terms of a probabilistic 
modal logic. In particular, the expression, and testing for satisfaction of equilib- 
rium properties, can be seen to be closely related to the specification, and model 
checking of a formula expressed in probabilistic modal logic (PML El)- We give 
a modified interpretation of such formulae suitable for reasoning about PEPA’s 
continuous time models. 

The study of temporal and modal logics in conjunction with models of con- 
currency is well established. These logics express properties of systems which 
have a number of states, and in which there is a relation of succession. A modal 
logic is used to express a finite behaviour. In a temporal logic operators are 
introduced to allow reasoning over infinite behaviour. 

Over the last decade, work on probabilistic verification has accelerated in line 
with stochastic extensions to models, as used in the performance community. 
Various modifications to logics allow properties to be expressed which reflect the 
additional model information. Recent work by Huth and Kwiatkowska H2| gives 
the temporal logic the modal mu- calculus unj a non-standard semantics, where 
the meaning of a formula is a function from states to [0, 1]. This is intended to 
express the ‘confidence’ that a formula is true, for a given state, although the 
semantics cannot be interpreted directly as probabilities. Their approach results 
in their model checking procedure giving lower bounds for the probabilities of 
properties (these may serve the user as a ‘guarantee’). Further they note that the 
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work may be modified to deal with generative (essentially, autonomous) models 
such as those described in PEPA. If it was possible to generate true probabilities 
in this way, it would seem a useful first step in generating performance measures. 
A differing approach is taken by Hansson and Jonsson m, whereby probabilis- 
tic operators are added to the temporal logic CTL. For example, the formula 
\(j)\yp is satisfied for a given state if a measure over the set of paths from the 
state satisfying (j) is greater than p. Since the formula will either be satisfied by 
a state, or not, this leads to a classical predicative semantics. A variant of Hans- 
son and Jonsson’s model checking procedure is used in the Probabilistic VERUS 
tool HH]. This is a variant of VERUS, a BDD-based model checker for real-time 
systems m- A VERUS program is a collection of sequential randomised pro- 
cesses; the authors adapt the language to replace non-determinism with discrete 
probability distributions. With a probabilistic logic similar to that mentioned 
above, they are able to specify probabilistic properties, and to check whether 
these properties are satisfied or not. However, as Huth and Kwiatkowska point 
out, a user’s specification of the threshold probability may be inappropriate for 
the task at hand, where the information required is such a threshold itself. These 
varying styles of probabilistic verification suggest avenues of exploration for a 
PEPA reward logic. 

An alternative approach to performance evaluation for stochastic process 
algebras is described by Bernardo PH. Instead of using a separate logical no- 
tation, the author extends the syntax of the stochastic process algebra EMPA 
such that activities include a notion of reward. In order to generate performance 
measures, a reward structure for the underlying stochastic process is generated; 
the reward assigned to each state is the sum of the rewards associated with the 
activities the model enables in that state. By assigning different values (and dif- 
ferent interpretations) to the reward field in appropriate activities, one is able to 
calculate rewards several kinds of performance measure, such as utilisation and 
throughput. The advantages of the method are that it is relatively simple to use 
and apply, and is reasonably expressive. In addition, Bernardo has constructed 
an equivalence relation which respects the additional reward information. An 
extension of strong Markovian equivalence, for each pair of states in an equiv- 
alence class, the total reward accrued by moving into another equivalence class 
is the same for each state. This will allow the theory of EMPA to be extended 
smoothly to incorporate rewards. However, we can argue that a specification 
language based on a logical approach too has its advantages. Firstly, it has the 
potential to be more expressive than an algebra-based technique. By exploiting 
the operators a modal logic supplies, it is possible to be more discriminating 
about which states should contribute to the reward measure. In particular, it 
is possible to select a state based on model behaviour not immediately local to 
the state. Some examples of such performance measures were presented in [7|- 
Philosophically, we may also take the point of view that structure for measuring 
the performance of a model should be separated from the model itself. A dis- 
advantage of a purely logic-based approach is that it may be seen by a user to 
be esoteric, and requiring of more effort in order to understand and apply. This 
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motivates one of the aims of our current work, to provide a high-level specifica- 
tion language which abstracts from an underlying logic, and provides the user 
with a framework which is simpler to apply. 

We proceed by describing the principle behind using a logic to generate a 
performance measure. Following that, we highlight why PML may be a suitable 
logic for our purposes. 



4.1 Using Logic to Specify Performance Measures 

Previous work by Clark [Z| proposed an approach to generating measures using 
traditional Hennessy-Milner logic (HML [IB|)- The idea was to capture the set 
of ‘interesting’ states of the model by partitioning the state space with a formula 
of the logic — those states that enjoy the property are then assigned a reward, 
such as a number, or a value based on ‘local state’ information, such as the 
rate at which the state may perform a particular activity. All uninteresting 
states are given a reward of 0. In this way, a reward vector is formally specified, 
and equilibrium measures such as utilisation and throughput may be calculated. 
However, the method was not ideal for several reasons. Firstly, it was ad hoc — the 
logic provided an initial partition only, meaning that a calculational technique 
was required in addition, in order to assign reward values. Secondly, the logic was 
qualitative only, in that it disregarded the rate at which a PEPA process could 
perform an activity, and only captured the fact that an activity was possible. We 
believe these issues can be addressed by using a more appropriate logic, namely 
Larsen and Skou’s PML. 



4.2 Probabilistic Modal Logic 

The syntax of PML formulas is given by 



F::= tt I I -E I Fi AF2 I {a)^F 

The models described in HH are probabilistic, in that for any state P and 
any action a, there is a (discrete) probability distribution over the a-successors 
of P. Informally, the semantics of a formula Va is the set of states unable to 
perform an a activity; and the semantics of {a) ^F is the set of states such that 
each can make an o-transition with probability at least ^ to a set of successors 
each of which satisfies F. We choose to modify slightly the interpretation of these 
formulae with respect to PEPA models. First we give a simple definition 



Definition 1. P^^^S if and only if for all P' € S, P 
J2{r I P^^P', P' eS} = V. 



P' , and 



Specifying Performance Measures for PEPA 219 



Now let P be a model of a PEPA process. Then 
P 1= tt 

P ^ ^p if P ^ p 

P ^ Pi A P2 if P h and P h ^2 
P h V„ if P ^ 

P ^ (a)iiP if for some v > fJ-, and for all P' £ S,P' \= F 



Therefore, the subscript ^ present in formulae of the form {a)p,F is now 
interpreted as a rate rather than a probability; if a state P is capable of doing 
activity a quickly enough arriving at a set of states S each of which satisfies P, 
then P satisfies {a)fj,F. 



4.3 Relation of PML to the Specification Language 

If we use PML as a vehicle for the semantics of the specification language, it will 
address one of the criticisms of the original PEPA reward language work — that 
the logic was badly suited to the models. Now it is possible to distinguish model 
states that differ only in the rate at which they may perform activities. But how 
does this logic relate to the specification language? This can be made clearer by 
first showing the precise nature of the relation of PML to PEPA. In El, Larsen 
and Skou show that PML exactly characterises probabilistic bisimulation, in the 
sense that two probabilistic processes are bisimilar if and only if they satisfy 
exactly the same set of PML formulae. With our modification to the semantics 
of PML, an analogous result holds for PEPA processes: 

Theorem 1 (Modal characterisation of strong equivalence). Let P be a 

model of a PEPA process. Then 

P = Q if and only if for all F, P \= F iff Q \= F 

That is to say that two PEPA processes are strongly equivalent (in particular, 
their underlying Markov chains are lumpably equivalent [Q) if and only if they 
both satisfy, in our modified setting, the same set of PML formulae. 

Instantly, this gives us an understanding of the notation for specifying equilib- 
rium properties. For example, probability terms may take the form Pr(P Pi). 
Model checking a logical characterisation of state Pi via PML would provably 
capture all and only those states P which are strongly equivalent to Pi, and 
thus with the steady state vector would immediately lead to a computed value 
for the term Pr(P = Pi). Another example is provided by the term Pr(a(). We 
can instantly characterise, up to strong equivalence, those states which should 
be included in the computation of this measure — they are those which satisfy 
the PML formula ^Vq,. 
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As discussed in Section 0 the performance specification language makes use 
of the idea of model states, as well as model behaviour in a state. This can be 
smoothly reconciled with the use of a probabilistic logic, and the computation 
of the reward vector can thus be seen as a two-stage procedure. The method is 
simple, and standard in the theory of process logics — it is to extend the syntax 
of PML with a set of variables V, and for a given model P with state space S, 
to extend the semantics with a valuation function V V ^2'®. 

F ::= tt I I I Fi A F2 I (a)^F | A 

p\=x iS p e v{x) 

The intuition is that a variable X G V represents a property which is 
true in a particular subset of the state space. This allows formulae such as 
^((transmiti 2 o)T’a*^<S'tate), where FailState is understood to represent an un- 
desirable portion of the state space — “it is not the case that it is possible to effi- 
ciently transmit a network packet and finish in a failure state”. Given a model, 
and an expression given in the specification language, the two stage generation 
of the reward vector can be understood as: 

i) . calculating the valuation function according to any ‘local state’ requirements, 

by e.g. strong equivalence aggregation PJ; then 

ii) . computing the satisfaction of the PML formula corresponding to the speci- 

fication, using a model-checking style technique. 

The use of PML suggests ways in which the specification language could 
be extended, if these features would be useful to users. It will certainly be 
possible to reason about more complex behaviour than the ability to perform 
a single activity, and it will be possible to reason directly about the rate at 
which activities are performed. For example, a user may wish to verify that 
the percentage of time that a component in his model is transmitting network 
packets efficiently is higher than 40%. Our notation could be extended to allow 
Pr( (transmit, 120) |) > 0.4. The states to be included in the computation of 
the measure would be those captured by the formula (transmit) i 2 ott. 

Due to the predicative semantics of PML, we note that it is straightforward 
to specify utilisation and reliability measures using this approach. The relation 
of PML to throughput measures is not so direct. This is because in previous 
approaches, the reward structure for a throughput measure associates rates of 
activity with particular states. In this paper, we choose not to formally develop 
the link to throughput measures further. However, the specification language will 
provide the necessary level of abstraction to generate throughput measures, and 
could do so using PML as the underlying logic. For example, with our suggested 
extension above, we may determine whether the throughput of our network is 
greater than some threshold with the expression 



r X Pr((transmit, r) t) > M 
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Although the logic of Huth and Kwiatkowska ^2 does not support a direct 
interpretation of formulae as probabilities, we envisage making use of the under- 
lying ideas to extend our approach in order to cover a wider range of equilibrium 
measures. 

Our choice of PML was motivated by its simplicity, and its link to PEPA’s 
strong equivalence. Other research in the area of probabilistic verification has 
links to our approach. Recent work by de Alfaro m addresses the problem of 
specifying “long-run” average properties of probabilistic systems. The author 
points out that logics such as those presented by Hansson and Jonsson m are 
able to specify bounds on probabilistic properties, but crucially these are prob- 
abilities over behaviours from a specified state. De Alfaro’s approach is inspired 
by process algebraic tests; experiments are defined to represent interesting model 
behaviour patterns. These experiments associate a real-valued outcome with a 
pattern of behaviour, and are considered to occur infinitely often. The author 
shows how these experiments can thus be used to specify long-run behaviour. His 
looks to be a fruitful approach to the problem of probabilistic verification, and 
we too plan to focus on a concept of stochastic test. Currently work in progress, 
we are studying the specification of transient measures by considering a PEPA 
model in cooperation with a stochastic test P]. However our tests do not specify 
long-run behaviour as do de Alfaro’s experiments; rather we seek to examine the 
point at which a PEPA model first passes a test. 

The next section demonstrates how a modeller may use the specification 
language, by presenting a case study of a location tracking system. 

5 Case Study: A Location Tracking System 

As an example here we consider the problem of modelling a system where the 
location of people and equipment within a building is monitored by a central 
tracking system. Such a system is being considered for the James Clerk Maxwell 
Building at The University of Edinburgh. The building is notoriously confusing 
to navigate and the tracking system would be helpful in finding those visitors 
who get lost in the maze of corridors. The system would also help secretaries 
find professors who may be in any number of teaching and meeting rooms or 
colleagues’ offices and would be an invaluable aid in the hunt for the (non- 
networked) laptop computers which can be borrowed for the secure preparation 
of examination papers. 

Location tracking systems such as these are implemented by the use of active 
badges, credit-card sized devices which transmit unique infra-red signals which 
are detected by networked sensors. Systems such as these are already in use in 
several European universities and in research laboratories in the USA. 

The University of Edinburgh issues “smart” enrolment cards at the start of 
each academic year. These are used both for electronic cash and as swipe-cards 
for door entry. It is planned that these would be superseded by cards which may 
also be used for location tracking. The battery life of such a device has typically 
been found to be around a year IZDI so it is necessary to tune the performance 
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of the system by adjusting the rate at which registration is performed in order 
to conserve battery power while simultaneously ensuring that the system gives 
accurate location information. 

A Markovian stochastic process algebra such as PEPA is well suited to mod- 
elling this system because exponential registration intervals are used to prevent 
the repeated collisions between transmitting badges which would result in lost 
messages m This is the same use of randomness as found in the Aloha packet- 
switching network: without it, a collision would inevitably be followed by another 
collision. 

To keep the example small we will consider the simple case of tracking the 
progress of a single person around a single floor of a building. The floor has three 
corridors which are numbered 14, 15 and 16, and we assume that there is only 
a single sensor in each corridor. The corridors are arranged in a U-shape so that 
it is possible to go from the 14 corridor to the 15 corridor and then to the 16 
corridor (and the other way, of course) but it is not possible to go from the 14 
to the 16 corridor directly. 

The behaviour of a person P who is wearing an active badge can be described 
in terms of their movement from one corridor to a neighbouring one and the 
registration of their badge with the nearest sensor. 

Pi4 = (re5i4,r).Pi4 -k {movei5,m).Pi5 

Pi5 — (re5i5,r).Pi5 + (movei4,m).Pi4 + {move ie,m). Pie 

Pi6 = {regie, r). Pie + {moveie,m).Pi5 

Sensors accept registration information and report this back to the central 
database. 



514 = (re5i4,T).(repi4,s).5i4 

515 = {regie, P)-(repie, s).Sie 
Sie = {regie, P)-(repie, s).Sie 

For a system with only one person to be tracked the database need only store 
the most recently reported position. 

DBi 4 = {rep i 4 ,T).DB 14+ {repie,T).DBie + {repie,T).DBie 
DBie = {rep 14 ,+ ).DB 14 + {repie,+).DBie + {repie,+).DBie 
DBie = {rep 14 ,+ ).DB 14 + {repie,+).DBie + {repie,+).DBie 

In the complete system the badge-wearer will move asynchronously but will 
register with the sensors. The sensors are independent but they all report back 
to the database. We can initialise the system in any state we wish, perhaps with 
the badge-wearer in the 14 corridor and the database also recording this. 

P =' Pi4 DB DBi 4 System =' P (5i4 || Sie || ^ig) DB 

{rcgil {rcpil 
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5.1 Analysing the Performance of the Location Tracking System 

In tuning the system to provide the best balance between accuracy and in- 
creased battery life we would investigate the probability of the database incor- 
rectly recording the position of the badge-wearer and increase or decrease the 
registration rate in order to attain an acceptable threshold. Moreover, failure to 
register a move is not the only source of inaccurate data within the system. It 
is possible that reports to the database occur in the wrong order, giving a false 
impression of the location of the badge wearer. In either case the error can be 
characterised by the wearer being able to register in a location and the database 
not recording their presence there. If it has been decided that an acceptable level 
of accuracy is to have a 1% error rate then, in our high level notation, we would 
investigate the adequacy of our implementation as follows: 

Pr(re5i4t /\ DB ^ DB 14 ) 

+ Pr(re5i5t ^ DB ^ DB 15 ) 

+ Pr(re54gt A DB ^ DBiq) > 0.01 

We have investigated the alteration of the probability of error as the rates of 
badge registration and sensor reporting (variables r and s) are changed while 
the rate of movement of the badge-wearer (variable m) remains constant. The 
results are presented in Fig. Q With the values chosen, the probability of error 
in the system varies between 0.02 and 0.18. These values were computed by 
first using the PEPA Workbench to investigate the state space of the location 
tracking system and then using the PEPA State Finder to select the states of 
interest. We then used the Maple computer algebra package both to find the 
steady-state probability distribution of the system and to plot the results. 

As a consistency check on our work we also used the PEPA State Finder 
to compute the probability that the database correctly recorded the location 
of the badge-wearer and checked that the probabilities of database correctness 
and incorrectness summed to 1, which they did. The PEPA State Finder at 
present only implements a subset of the specification language which is described 
here but it is our intention to extend this to a complete implementation of the 
language. 

The location tracking system with only a single person is a very simple system 
with only 72 states but we have also considered the effect of adding another 
person, with a correspondingly more complex database model. The state space 
of the system increases quickly, of course, and the extended system has 2187 
states. More complex performance measures are applicable to the more complex 
model. 



6 Further Work and Discussion 

We are confident that the notion of probabilistic logic can be used to give a for- 
mal semantics to the specification language as described in Sectional However, 
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Fig. 2. Investigation of the probability p of error against rates r and s (with 
m = 0.1) 



the utility of PML in interpreting transient specifications, as initially proposed 
in 0 has not been investigated, and remains as future work. Furthermore, we 
are currently developing the theory behind calculating transient measures. The 
satisfaction of a transient property is determined by the construction of an ap- 
propriate stochastic test, consisting of an ancillary PEPA process; the analysis 
of the original model is done in concert with the stochastic test. Therefore, the 
longer term aim is to provide the PEPA user and modeller with a rigorous and 
formally defined specification language for the computation of both equilibrium 
and transient performance measures. 

Initial work on this notation for specifying performance measures was carried 
out in a feature interaction framework. We view a feature as being a significant 
aspect or property of the system which could be used to compare this one to 
another. Most importantly, features are qualities which can interact and which 
can be measured. Therefore the feature interaction framework represents the idea 
that a system may be built by composing a number of well-engineered features, 
and is a useful paradigm for both system designers — who are concerned with a 
compositional or structured approach to the construction of a system — and to 
system users — who wish to learn and understand complex systems in terms of 
substantive concepts. The widespread acceptance of the importance of features 
makes them a very desirable concept to build into a specification language since 
one of the uses of a specification language can be to provide a common working 
language between designers and users. Our original setting meant that by using 



Specifying Performance Measures for PEPA 225 



the specification language, a user could formally describe within the model a 
particular feature enjoyed by the system. 



7 Conclusions 

Despite impressive improvements in the computational power which is now avail- 
able to end-users of computer systems, computer equipment remains expensive 
to purchase and maintain. Consequently, making cost-effective use of limited re- 
sources remains one of the motivating concerns of computer system managers. 
Analysis of computer systems through construction and solution of descriptive 
models is a hugely profitable activity: brief analysis of a model can provide as 
much insight as hours of simulation and measurement 122 ]. 

We have presented a notation for the description of performance specifica- 
tions which relate to stochastic process algebra models expressed in the PEPA 
modelling notation. Our notation for performance specification focuses on mod- 
els in equilibrium, and concentrates on internally measurable quantities of the 
system. We are currently developing the framework for specifying transient mea- 
sures, which will focus on externally observable patterns in the system’s transient 
behaviour. Further, in this paper, we have highlighted how a meaning may be 
given to equilibrium specifications by using the probabilistic modal logic PML. 
The location tracking case study illustrates the way in which a modeller would 
use the PEPA specification language to reason about the performance of a model. 
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A Proof of Modal Characterisation of Strong Equivalence 

Case 1 Assume P ^ Q. We proceed by induction on the size of F, as in CD. 
Case F = (a)^G: Let P \= F. Then by definition, there exists a set S such 

that P^-^^S, where v > fJ-, and for all P' G S, P' \= G. 

Since P ^ Q, there exists some strong equivalence TZ, such that for all 
a G A, for all S G C /TZ,q[P, S, a\ = q[Q,S,a\. For each P' G S, let 
TZp' be the equivalence class in C/7?, which contains P'. Furthermore, let 
S" = Up'gs^p'- Now, for each P" G S", P”TZP' , and thus P” = P' , 
for some P' G S, and so by the hypothesis, for all P" G S", P” \= G. 

Since S C S" , P^^^S", where A > v. Since PTZQ, for all T G C/7?, 
g[P, r, a] = g[Q,T, a]. However, note that for all s, s' G S, TZs = 7?^ or 
7?s n TZs' = 0- Therefore, by construction of S", q[P, S", a] = q[Q, S", a]. 

Therefore, where A > v > and for all Q' G S" , Q' ^ G. 

Therefore, Q |= (a)^F’. By symmetry of =, this case is complete. 

Case F = Va: Let P F. Therefore P — Since P = Q it is the case that 
for some strong equivalence TZ, for all a G A, for all S' S C/7?, q[P, S, a] = 
S, a]. However, for all S' C 2^, q[P, S', a] = 0. Since for all S G C/7?, 
S C 2*", it is the case that q[Q, S, a] = q[P, S, a] = 0 for any S G C/7?, 
for any TZ which is a strong equivalence. Therefore there does not exist 
a G such that q[Q, C, a] >0 and therefore, Q — By symmetry of =, 
this case is complete. All other cases are straightforward. 

Case 2 Assume that for all F, P \= F if and only if Q \= F. Let TZ = {{P, Q) \ 
for all P, P 1= P if and only if Q |= P}. The result will hold if TZ can 
be shown to be a strong equivalence. By simple inspection, TZ is clearly an 
equivalence relation. Thus, it must be shown that for all a G A, for all 
S G C/7?, q[P, S, a] = q[Q, S, a]. 

Let S G C/7?. Assume that for some a G A, P^-^S for some /r. Now consider 
the a-derivatives of Q, labelled Q'l,... , Qm+ii ■ ■ ■ yQ'm where n > 0, 
0 < TO < n. These derivatives are labelled such that Q'l, - ■ ■ ,Q'^ G S and 
,Q'n ^ S . For each Qp let the rate at which Q makes an a- 
transition to Q'^ be denoted by /rp Since S is an equivalence class under 7?, 
it is the case that for each Q/,to + 1 < j < n, there exists a formula Pj 
such that Q'j |= P/, and for each Q',0 < i < to, Q- ^ P/. From a lemma 
by Larsen and Skou El, it is possible to construct a dual formula to each 
F'p named here P^ such that for Q' , to + 1 < j < n, Q' |= Pj if and only 
if Q'j ^ 'Py Now it is the case that Q |= (a)/i'(Pm+i A ... A P^), where 
However, by the initial assumption, it is also the case that 
P ^ (a)p'(^L+i A ... A P^) , and therefore, /r' > fj.. This then gives that 
q[Q, S, a] = fi' > . However, 7? is symmetrical, and so by such an argument, 

it is the case that ^ > /r', and thus that /i = /r'. Hence q[P, S, a] = q[Q, S, a], 
as required. □ 
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Abstract. A solution method for solving Markov chains for a class of 
stochastic process algebra terms is presented. The solution technique is 
based on a reformulation of the underlying continuous-time Markov chain 
(CTMC) in terms of semi-Markov processes. For the reformulation only 
local information about the processes running in parallel is needed, and it 
is therefore never necessary to generate the complete global state space of 
the CTMC. The method works for a fixed number of sequential processes 
running in parallel and which all synchronize on the same global set of 
actions. The behaviour of the processes is expressed by the embedded 
Markov chain of a semi-Markov process and by distribution functions 
(exponomials) which describe the times between synchronizations. The 
solution method is exact, hence, the state space explosion problem for 
this class of processes has been solved. A distributed implementation of 
the solution technique is straightforward. 



1 Introduction 

Formal verification and the evaluation of performance models have been proven 
to be important stages in the design of distributed and communication systems. 
Stochastic process algebras (SPA) are an attempt to integrate the qualitative 
(functional) and quantitative (temporal or stochastic) specifications within one 
formal modeling framework. The advantages of this approach are obvious: the 
formal verification and performance evaluation are carried out on the same basis, 
so that temporal as well as functional results relate to the same model. 

SPA are action-based modeling formalisms, where the SPA terms describe 
global states of the specified system. The most common semantic domain of 
the functional specification are transition systems. The stochastic behaviour is 
usually a continuous-time Markov chain (CTMC). Unfortunately, SPA are, as 
any formalism referring to the global state space, subject to the state space 
explosion problem. That means, the state space of the model often increases 
exponentially with increasing degree of parallelism of the specified system. Thus, 

* An earlier version of this paper has been presented on the PAPM ’98 workshop 
in Nice, France. 
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verification as well as performance evaluation is often impossible due to the vast 
memory requirements even for medium scale problems. In this paper we develop 
an approach to tackle the state space explosion problem in the temporal domain. 

There have already been made several attempts to reduce the memory re- 
quirements for the solution of the CTMC of performance models. According 
to 1121 . these can be classified as product-form solution techniques and aggrega- 
tion techniques. In the field of product-form solutions, the solution of an SPA 
models is carried out componentwise. The results are combined afterwards. Ag- 
gregation techniques generally aim at state-space reduction of the underlying 
CTMC by means of state aggregation. For a detailed overview of the techniques 
developed so far we refer to m 

In this paper we will present another approach to tackle the state space 
explosion. We will exploit the compositional structure of SPA specifications in 
the solution of the underlying stochastic process. We reformulate the stochastic 
process expressed by the underlying CTMC by means of semi-Markov processes. 
Times between synchronizations of processes can be characterized by phase- type 
distribution^, which can be expressed by exponomials. The synchronization be- 
haviour is expressed by the embedded Markov chains of the semi-Markov pro- 
cesses. Since synchronizations are generally more seldom then local actions, the 
embedded Markov chain is most often much smaller than the original CTMC of 
the considered SPA specification. 

Our approach, which is strictly oriented at the compositional structure of the 
SPA specification, has the following characteristics: 

— Generation of the global state space is avoided. 

— The approach is only applicable to a restricted class of SPA terms. 

— We obtain exact throughputs and local steady-state probabilities. 

— Interesting but of minor importance for this paper is the fact that a dis- 
tributed implementation of the approach is straightforward. 

The paper is structured as follows: In Section |2| we introduce the fundamen- 
tals necessary to understand the rest of the paper. In Section 0 we present our 
approach. In Section0we discuss the pro and cons of the approach and give an 
overview of our further work. 

2 Preliminaries 

We start in Section o by defining the stochastic process algebra SVA which 
serves us as the basic formalism to describe the kind of processes apt to be solved 
by our approach. In Section |S1 we briefly explain the usefulness of throughputs 
for the computation of steady-state probabilities of CTMCs. In Section 12.. '-a we 
discuss the relations between local and global state probabilities. In Section |HI 
we will introduce basic facts of semi-Markov processes. Section |^| gives a short 
description of the kind of distributions (exponomials) we will be concerned with 
in the rest of this paper. 

^ The time to absorption of an absorbing Markov chains has a distribution, which 
commonly is referred to as phase-type distribution. 
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2.1 Stochastic Processes Algebra STlA 

The stochastic process algebra SVA is an extension of TCSP |3| by anonymous 
timed actions which are intended to model a stochastic passing of time between 
visible actions. Functional and temporal behaviour is treated separately, as in 
The operational semantics is rather similar to that of IM-TIPP CHI. 

First, we will define a general syntax of SVA. For the resulting language we 
define a structural operational semantics. Finally, we restrict the language of 
SVA such that the resulting terms are apt to be solved by our method. 

Syntax of SVA. Let Com = {a, b,c, . . .} be a set of actions with r ^ Com and 
Act := Com U {r}. 

Definition 1. The language CsvA is defined hy the following grammar: 

P — ^ Stop I a.P I (A).P I P+ P I P||sP I P\T I A I recA : P (1) 

with a € Act, L,S C Com, X G IR with A > 0, and X a process variable. CsvA 
is additionally restricted by the following rules: 

1. Recursion over static operators (^||s, -\L) is not allowed 

2. The recursion operator recX binds the process variables X and, as usual, we 
only consider terms without any free occurrence of a process variable. 

3. Each occurrence of a process variable X is preceded by an action a G Act or 

Xg R. 

If necessary, we use parentheses to mark the scope of recX-operators or the 
bounds of choices. 

The prefixes a.- have to be seen as immediate actions which do not consume 
time. The prefixes (A).- with A being a positive real number denote anonymous 
timed actions with a duration which is distributed according to a negative expo- 
nential distribution with rate A. These actions are subsequently called Marko- 
vian. Synchronization is possible only between immediate actions. Hence the 
synchronization mechanism used here is timeless synchronization as described 
in |TTj . 

Structural Operational Semantics for SVA. The definition of a operational 
semantics requires first the definition of appropriate transistion systems: 

Definition 2 {SVA transition system). 

A SVA transition system is a tuple 

{S, So, >, «- ), 

where S C CsvAj sq G S is the starting state and >, «- are labelled 

transition relations: 

> C S X X Lab x S 

♦- C S X Act X S, 

and Lab = \\i, ||r}*- 
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Fig. 1. Operational semantics for SVA: Markovian actions 



The semantics of a term P G CsvA is given by the smallest transition sys- 
tem obeying the semantic rules given in Figured and Figured We denote this 
transition system subsequently by [PJ . 

We will now define some more terms which we will use in the subsequent 
sections. 



is called the reachability set of P. 

The inclusion P' G Reach{P) is sometimes informally stated as “the state P' 
belongs to process P” . 

Definition 4. The set of synchronizing states of P G CsvA is given by: 

Ssyn{P) = [P' I P' G Reach{P) A 3P" : P' p" for a G Com} (2) 

The set Ssyn{P) for P G CsvA contains all those states of ReachfP) where an im- 
mediate action is enabled. These states are also known as vanishing states, since 
they are usually eliminated from the reachability graph when the underlying 
CTMC is generated. 

Definition 5. With = we denote syntactic equivalence. 



Definition 3. Let P G CsvA = {S, P, 

Reach{P) := S 



>■ ) . Then 



Syntactic Restrictions. The solution method we want to explain in Section 0 
is only applicable to a restricted class of iSP4-terms. Here we want to define this 
class. 
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Fig. 2. Operational semantics for SVA'. Immediate actions 



Definition 6. The language C-jisvA Q ^SVA is defined by the following gram- 
mar: 

Q^P\\sP\\s---\\sP (3) 

n times 

P — >Stop I a.P I (A).P I T+T\ P\L \ X \ recX : P (4) 

T — > Stop I (A).P I r+ T I T\L \ X \ recX : T (5) 

where n = 2, 3, . . and L,S C Com. 

— The rule Q describes the global structure of the processes we want to con- 
sider. We always deal with n processes which are synchronized over the same 
synchronization set S. 

— The second rule, P, confirms that we do not allow a choice between local 
(timed) and synchronizing (immediate) actions. Stated in an intuitive way, 
this means that we do not allow local timeouts. A process willing to synchro- 
nize has to wait until all other participants are ready to synchronize. We 
need this restriction, because the time between the executions of untimed 
actions must be phase- type distributed. This requirement would be violated 
if a choice between timed and untimed actions is allowed. 

— The rule T describes processes which are only able to perform timed actions 
as next step. 

Additionally, we demand that the resulting CTMC underlying the SVA terms 
have to be ergodic. This requires at least that the SVA process is deadlock free. 
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As a consequence we can see that the synchronizational behaviour of synchro- 
nizing processes must be deterministic: once they have synchronized it has to be 
known on which action type they will synchronize next. Since choices between 
immediate actions lead to nondeterministic behaviour we have to forbid this 
possibility. 



Other Stochastic Process Algebras. Though we consider only timeless syn- 
chronization in this paper, it is possible to use other SPA like MTIPP or 
PEPA [nil as well. In these SPA, synchronizations are considered as actions with 
an associated exponentially distributed delay. The rate of the delay depends on 
the rates of the synchronizing actions which take part in the synchronization. 
Though these timed synchronizations seem to be inconsistent with our notion 
of untimed synchronization, they actually are not. The timed synchronisations 
are inherently composed of two timeless synchronisations and a delay which is 
shared by all parties which take part in the synchronization. We do not consider 
this further here, but we claim that the “classical” timed synchronizations can 
be expressed by means of SPA with timeless synchronization, like SVA. This 
capability has been extensively used in |^ , to which we refer the reader for more 
details. Since SVA is hence a SPA which is as powerfull as others, we decide to 
consider only timeless synchronization in the future. 



2.2 Throughputs and State Probabilities 

The throughput (or probability flow) Tg of a CTMC state s is defined as 

S s ‘ Qsj 

where tt^ is the steady-state probability of being in state s and qg the rate sum of 
the outgoing transitions of s. Given a generator matrix Q of an irreducible CTMC 
the knowledge of the throughput of one state does not give much information to 
aid the solution of Q. On the other hand, if we have a CTMC where the rate of 
a transition is not known, but its throughput is, we can use the throughput to 
derive the steady-state solution of the CTMC. CTMCs with unknown rates will 
appear naturally in the next sections. 



2.3 Local vs. Global State Probabilities 

Consider a process V = Pi\\s ■ ■ ■ ||sPn G CnsvA- We call the probabilities to be 
in state Q for all Q G ReachflP) global state probabilities. Local state probabilities 
are defined for the components P^, i = 1, . . . , n of P and denote the probabilities 
for component Pi to be in state R for all R G Reach{Pi). The local probabilities 
depend not only on Pi itself but also on the environment of Pi., i.e. the other 
components of V. The local state probabilities of a component Pi are strongly 
dependent on its CTMC and from the influence the other components have on 

P^■ 
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Many performance measures relate to individual components and can be 
expressed by means of local state probabilities of the components itself (e.g. the 
mean number of customers of an individual station in a queuing network). For 
cases in which such measures are needed it is desirable to compute the local 
state probabilities directly. 

The influence of the environment on a component Pi can be expressed by the 
mean counts of synchronizations in unit time which Pi performs. These mean 
counts can be seen as throughputs of the synchronizing states of Pi, hence, 
for each synchronizing state of Pi such a throughput can be defined. Knowing 
them, the system of global balance equations of the CTMC underlying Pi can 
be modified in a way that its solution yields the local state probabilities of Pi. 
In Section El we will present a method to compute these throughputs. 

2.4 Semi- Markov Processes 

The concept of semi-Markov processes is a generalization of the common Markov 
process. The main difference is that the state sojourn times of a semi-Markov 
process are no longer described by negative exponential distributions but by 
arbitrary ones. Only at times where state changes occur the Markov property is 
obeyed. The next state to enter is determined according to the current state and 
transition probabilities which are described by the so-called embedded Markov 
chain (EMC). The EMC is an ordinary DTMC, which has the same states 
and transitions as the semi-Markov process but which gives only the transition 
probabilities from state to state. In the following, we denote the steady-state 
solution of the EMC, which is needed to solve the semi-Markov process, as 

(tTi , . . . , 7T„). 

For the each state i of a semi Markov process, a distribution function Fj for 
the sojourn time in the state has to be defined. With Ti, i = 1, . . . ,n, being the 
mean values of these Fj-distributed random variables, the steady-state solution 
vector ((^ 1 , . . . , (j)n) of the semi-Markov process is given by the following quotient: 



For an overview of semi-Markov processes see El- more complete description 
is given in il and m 

2.5 Exponomials 

This section is devoted to a special class of functions, which can be used to ex- 
press phase-type distributions: exponential polynomials or exponomials for short. 
Exponomials will be used in Section E| to express the state sojourn time distri- 
butions for the semi-Markov process we want to define. Exponomials have the 
following form: 




i = 1, . . . , n. 



( 6 ) 



n 




ki G IV, 7 i, Qi G IR for i = 1, . . . ,n. 
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Note that not all exponomials describe distribution functions, for example f(t) = 
e*. 

The fact that exponomials are closed under multiplication will become very 
important in the following sections. Remember, that the distribution of the max- 
imum of a set of random variables, X = max{Xi, . . . , X„} is easily to express by 
the distributions Fi, i = 1 ... ,n oi the individual random variables, as follows: 

n 

i=l 

Hence, X has an exponomial distribution function. 

In [ll !H| more information on exponomials can be found. There are algorithms 
known to derive exponomial distribution functions for the time to absorption of 
absorbing Markov chains. See e.g. HS| and [rz|. 

3 The Solution Method 

In this section we describe our solution method. The main goal of our approach 
is to reduce the computations on the global state space of the CTMC. We do this 
by reformulating the mathematical problem in terms of semi-Markov processes. 
The time instants at which a state change in the SMP occurs represent the times 
of synchronization. The sojourn times of the SMP represent the times between 
two synchronizations. 

Throughout this section we will assume a process 
F = Pi\\s ■ ■ ■ Ils-Pn G FtiSVA- 
The solution algorithm comprises 0 major steps: 

1. Definition of (local) embedded Markov chains for the semi-Markov process 
underlying the considered system. 

2. Definition of the sojourn time distributions in terms of exponomials for the 
(local) EMC states. 

3. Computation of mean sojourn times of the defined SMPs, their steady-state 
state probabilities, the computation of the throughputs and local steady- 
state probabilities and, finally, computation of the desired performance mea- 
sures. 

To simplify the understanding of our approach we accompany the technical 
parts with a running example, which we introduce now. 

Example (a): Introduction. Consider two processes P and Q which have 
three possibilities to synchronize: 

P = recX : a.{rpi).b.{rp2).X 
Q = recY : a.{{rq^).b.{rq^).Y + {rq2).b.{rq4).Y) 

V = P\\{aMQ- 
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The process P is very simple: after performing an immediate action a, it lets 
pass some time (negative exponentially distributed with rate rpi). Then, after 
immediate action b it waits a time interval (with rate rp2) &nd behaves then 
again like P. 

Process Q is only slightly different: after performing an immediate action a 
it has the choice between two timed actions: rpi and rq2- The choice takes a 
time which is exponentially distributed with rate rqi + rq2- In either cases an 
immediate action b is executed. After that it takes some time (with rate rq^ or 
rq^) until the process behaves again like Q. 

Finally, P is the parallel composition of P and Q, where P and Q synchronize 
themselves via the actions a and b. 



3.1 Step 1: Finding the EMC 

The states of the EMC (and the semi-Markov process as well) are strongly 
connected to the times where synchronizations take place in the original model. 

Let rrii = | 5 syn(Fi)| the cardinality of the set of synchronizing states. For 
each Pi we define an intermediate DTMC MCp^ for which the state spaces are 
the sets Mi nn}. The (bijective) function ai : Mi Ssyn{Pi) defines 

which state of MCp^ belongs to the respective synchronizing state of Pi. 

The transition probabilities for MCp^ shall be defined as follows: if we are 
in state j G Ssyn{Pi) (that means in the state (Ji{j) G Reach(Pi)) we can derive 
from Pi the probability pjk that the next EMC state [that means the next syn- 
chronizing state] that is visited will be k [ai{k)]. MCp^ is completely described 
by the transition probability matrix 

Pi = ■ (8) 

Now that we have defined the MCp^ we can proceed with the definition of 
the desired EMC. Its state space is simply the cross-product of all the MCp^. 
We denote the transition probability matrix of the overall EMC as P||. In terms 
of Kronecker operators the transition probability matrix P|| is given by P|| = 

We can describe the states of the EMC as tuples 

(fljf25---jfn) G Af 1 X ... X Min — ■ Ml 1 1 . 

When the stochastic process described by P|| enters (zi,i2, ■ ■ ■ ,in) this reflects 
the fact that between the processes Pi , . . . , a synchronization has taken place, 
where P\ was in synchronizing state cri(fi), P2 in synchronizing state <72(^2) and 
so on. 

The state graph of P|| is not necessarily connected, i.e. it may consist of 
disjoint parts, where no state in one part can reach a state in a different one. 
In this case we have to decide which part is the interesting one. Generally, 
this is determined by a starting distribution of the DTMC, which describes the 
probabilities to be in a certain state at the beginning of the observation. In our 
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case we have to choose the part which contains at least one state (ii, i 2 , . . • , in) G 
At 1 1 with 

o-i(ii)||s ■ ■ ■ \\scTn{in) G Reach{V). 

Demanding that at least one state has to have this property is sufficient, since 
every state reachable from {ii, i 2 , . . . , in) has this property, either. 

Below we will calculate the steady state probabilities of the EMC. Since the 
EMC has been built from the independent DTMCs MCp^ it is also possible 
to obtain the steady-state solutions for the MCp^ individually. The solution 
vector for the complete EMC can be obtained thereafter by simple elementwise 
multiplication of the n solution vectors. This is not shown in the example below. 



Example (b): Finding the EMC. We want to express the temporal behaviour 
of V by means of a semi-Markov process. The first thing to do is to define the 
state space and transition structure of this SMP. That means to define the EMC 
of the SMP. 

First we define the discrete time Markov chains MCp and MCq, which 
describe the synchronization behaviour of P and Q by means of probabilities. 
MCq has a very simple structure as shown in Figure O^b). MCp is even simpler, 
as Figure 0(a) proves. 

The overall EMC is depicted in Figure 0 It consists of two disjoint parts. 
Only the left part is needed, since it contains the starting state (1, 1). Hence we 

have to solve the DTMC with the states (1, 1), (2, 2), and (2, 3). The solution is 
^EMC ^ (^El 



^EMC _EMC _ 

I 712 , TT; 



EMC 
3 



') with 








.^EMC 


1 






7^(M) - 


2’ 






..^emc 




rqi 




^(2,2) 


2{rq^ + 


rq2) 


EMC 




rq2 




’^(2,3) — 


2(rgi -k 


rq^) 



3.2 Step 2: How To Determine Distributions for the Sojourn Times 

Now that we know the EMC we also know the structure of the SMP. All we have 
to define now are the sojourn time distributions of the SMP states. To do this 
we begin once again with the EMC MCp.. First we define distribution functions 
for each state of the MCp.: the distributions of the time to next synchroniza- 
tion, identified by the random variables T. To distinguish them we write 
for the random variable which describes the time to next synchronization start- 
ing in state <j{j) of process Pi. The distributions of the TJ can be expressed by 
phase- type Markov chains derived from the process Pi. An explicit semi-symbolic 
expression in exponomial form can be derived of the distribution of the time to 
absorption (as mentioned in Section I231l . 
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MCp 



MCq 




<Tp(l) = a.(rpi).b.{rp2).P ctq( 1 ) = a.{rqi).b.{rq2,).Q 

crp{2) =b.(rp2).P +{rq2)-b-{rqi).Q) 

o-q(2) = b.{rq3).Q 
o-q{3) = b.{rq4).Q 

(a) (b) 

Fig. 3. MCp and MCq for the example 




Fig. 4. The (overall) EMC 




of the example 



We denote the distribution function of T* as F^. Now that we have defined 
them we can proceed with the distribution functions of the complete SMP. For 
a state (ji, ■ • ■ ,jn) of the complete Markov chain we define the distribution 
function 

n 

■= ( 9 ) 

fc=i 

The distribution j2,. -jn)(^) describes the maximum of the individual times 
to next synchronizations, i.e., it is the distribution of the random variable 

^(ii ■= } . 

This random variable describes the temporal behaviour of the overall system 
between two synchronization events H 

^ It should be noted that the distributions F] and do not take into account 

which synchronizing states take part in the next synchronization. That means that 
we have defined unconditional distributions. There is also another variant of semi- 
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Example (c): Sojourn Time Distributions. To define the distributions of 
SMP states we begin by considering the intermediate EMCs MCp and MCq. 
First we define the sojourn time distributions for both of them. According to 
the last section we denote the times to next synchronization as , where X is 
either P or Q and i one of the respective state numbers. 

We start with MCp. Since P is very simple this is easy: the time to leave 
state 1 and to enter 2 is described by the same distribution as for the time that 
a state change from 

a.{rp^).b.{rp2).X 

to 

b.{rp2).X 

takes. This is a negative exponential distribution with mean . Hence the 
distribution function is 

pP{t) = 

It is nearly the same for state 2, hence 

pP{t) = 1-6-’"^’=*. 

For MCq the considerations are very similar. If MCq is in state I the fact is 
mirrored that process Q is in state (tq(I) (cf. Fig.0). The process has the choice 
to execute either (rpi) or {rq 2 ). In both cases a synchronizing state is reached, 
hence the distribution we are looking for is again negative exponential with rate 
rPi + rq^. 

F^{t) = 1 - 

For states 2 and 3 a similar reasoning holds: the T is in both cases negative 
exponentially distributed with parameter rq^ and rq^, respectively. Hence 

pQ{t) = 1 - 
pQ{t) = 

With the sojourn time distributions for MCp and MCq we are ready to 
define the respective distributions for the overall SMP. The times where state 
changes occur in the SMP are synchronization instants. The time to the next 
state change is then determined by the slowest participant. For state (1,1) this 
is T(i,i) = max{T/^, T^}, which is distributed, as we know from Section l2.bl 
with 

F(i,i)(t) = Ff{t)F^{t) = 1 - 
For E( 2 , 2 )(t) and F(^ 2 , 3 ){t) the results look similar: 

F(2,2){t) = Fi{t)F^{t) = 1 - 

F(2,3)(t) = F^{t)F^{t) = 1 - e~^P^* - -b 



Markov processes, where distributions for individual pairs of synchronizing states 
(i.e. conditional distributions) have to be given, but we do not dwell on this topic 
here. 
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3.3 Steps 3-5: Solving the Semi-Markov Process 

The solution of the semi-Markov process is now straightforward. From the dis- 
tributions obtained in Section 13.21 we must now compute the mean 

values, i.e., 



Jo 

where (t) = W- 

With these mean sojourn times of the respective states, and the probabilities 
ttqi obtained in Section Fd.ll we only have to employ (0) to obtain the 

steady state probability distribution of the semi-Markov process. The steady- 
state probability, that the semi-Markov process is in state (ji, j 2 , ■ • • , jn) equals 



, _ ^ • nn J2,...,jn) 

J2,...,in) 

Z^(fel,fe2,...,fen)eXlXAl2X...xA1„ '‘(fel,fe 2 ,...,fen) ’ ' (kl M ■ -,kn) 

With the steady-state probabilities we are now ready to compute throughputs of 
the overall system. The throughput ^(ii,i 2 ,...,in) ^he state 

(ji, J 2 , ■ ■ ■ , jn) is given as 



^(ii j2,...,i,.) 



*?^0'lO2,...,jn) 
Ril J2,...,in) 



( 11 ) 



^(ii j 2 ,...,tn) gives us the mean number of synchronizations in which the synchro- 
nizing states {i = 1, . . . ,n) are involved. With these throughputs we are 

now able to compute local steady-state probabilities of the processes Pi. 



Example (d): Solving the SMP. To solve the SMP we have to compute 
the mean values of the distribution functions ^( 2 , 2 ) j F{ 2 , 3 )- This is 

accomplished by differentiation of the distribution functions and applying the 
usual well-known formula for mean values of continuous distributions. We define 

/(i.i)(f) = + {rq, + 

- (rpi + rq^ + 

/(2,2)(f) = ^1^(2, 2) (i) = , 

/(2.3)(f) = ^^(2.3) (i) = - {rp^ + 

Symbolic integration yields as mean values 

1 1 1 
’’’( 1 . 1 ) “ I ; ; ; > 

rpi rq^ + rq2 rp^ -k rq^ + rq^ 

1 1 1 

''■(2,2) — 1 ; ) 

rp2 rq^ rp2 + rq^ 

1 1 1 

''■(2,3) — 1 ; • 

rp2 rq^ rp2 + rq^ 
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Now we are ready to compute the steady-state probabilities according to 
simplify the formulas we set 

r ;= ^ TTjTj. 

jG{(1.1),(2,2).(2.3)} 



(0. To 



Then 

^ _ 7r(ip)T(i,i) 

^( 14 ) - 

, '^(2,2)T{2,2) 

0(2.2) = 

, ^(2,3)''"(2,3) 

0(2.3) = 



From this we can compute the throughputs of our semi-Markov process: 

0(1.1) _ '^( 1 , 1 ) 

^(14) ^ 

0(2,2) _ ’’■(2,2) 

’■( 2 , 2 ) T, 

0(2,3) _ ”'(2,3) 

’■(2,3) T 

Now that the throughputs are known the state probabilities of P and Q can be 

computed. 

4 Discussion and Further Work 

In the following we discuss some of the features of our solution technique. 

— The solution method yields exact results. That means, the throughputs ob- 
tained are the same as the ones obtained by solving the system of linear 
equations of the original Markov process. 

— There is never the need to construct the overall, global state space of the 
stochastic process. That means, the state space explosion problem for this 
class of processes does not occur. 

— The technique is easy to parallelize. This is due to the fact that many compu- 
tation steps have to be performed on independent Markov chains and their 
solution vectors. To develop a distributed, parallel computation algorithm is 
hence straightforward. 

— The computations of the semi-numerical representations of the sojourn time 
distributions are not always numerically stable. The stability depends on 
the eigenvalues of the absorbing Markov chains under consideration. Though 
this is not really a disadvantage of our approach it might limit its practical 
applicability. 



^(1.1) 

^( 2 , 2 ) 

^(2,3) 
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— The main limitation of our approach is that the class of the processes which 
are apt to be solved by our method is rather small. Since the assumption 
that all processes have to synchronize over the same set of actions is very 
restrictive, it seems that only processes P\\sQ can profit from our approach. 

The work presented here has to be seen as a first step in the development 
of compositional solution technique for SPA models. To overcome the structural 
restrictions we incur in this paper, we have decided to abandon the field of semi- 
Markov processes in favour of iterative computation schemes which allow the 
asymptotical exact derivation of steady-state probabilities. Our new develop- 
ments are based on the iterative approximation of waiting time distributions of 
processes participating in a synchronization. This new ideas allow for the solu- 
tion of processes which synchronize over different synchronization sets, which 
enriches the class of solvable processes enormously ( 0 ). 

Nevertheless, we will adopt some ideas presented in this paper for our further 
work: 

— We are still convinced that the distinction between timed anonymous and 
immediate visible actions in conjunction with timeless synchronization is a 
reasonable assumption. As is illustrated in 0 ^^nd 0, this type of synchro- 
nization is easily extendible to other, timed synchronization types. 

— The use of phase-type distributions between the occurrence of synchroniza- 
tions (the “no-timeouts-restriction” ) is a restriction that should be relaxed 
in the future. For the time being, anyway, it is a reasonable and easy to 
check restriction. 

— We will continue to use explicit distributions to describe the behaviour of 
processes between synchronizations. 

— Although the idea to derive local steady-state measures from SPA models is 
a restriction, since we want avoid the state space explosion problem, we are 
forced to continue to restrict ourselves here. 
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Abstract. Stochastic process algebras have been introduced in order to enable 
compositional performance analysis. The size of the state space is a limiting fac- 
tor, especially if the system consists of many cooperating components. To fight 
state space explosion, various proposals for compositional aggregation have been 
made. They rely on minimisation with respect to a congruence relation. This pa- 
per addresses the computational complexity of minimisation algorithms and ex- 
plains how efficient, BDD-based data structures can be employed for this purpose. 



1 Introduction 



Compositional application of stochastic process algebras (SPA) is particularly success- 
ful if the system structure can be exploited during Markov chain generation. For this 
purpose, congruence relations have been developed which justify minimisation of com- 
ponents without touching behavioural properties. Examples of such relations are strong 
equivalence 11221 . (strong and weak) Markovian bisimilarity and extended Marko- 
vian bisimilarity Q. Minimised components can be plugged into the original model in 
order to circumvent the state space explosion problem. This strategy, known as compo- 
sitional aggregation has been applied successfully to handle, for instance, a telephony 
system model [tl3l . Without compositional aggregation, the state space turned out to 
consist of more than 10 million states, while only 720 states were actually required 
using compositional aggregation. 

Applicability of compositional aggregation relies on the existence of algorithms 
to compute minimised components. In this paper, we discuss efficient algorithms for 
strong equivalence, and (strong and weak) Markovian bisimulation. The algorithms are 
variants of well-known partition refinement algorithms 112 91 1 11241 . They compute par- 
titions of equivalent states of a given state space by iterative refinement of partitions, 
until a fixed point is reached. 



* A preliminary version of this paper has been presented at the PAPM’98 workshop I2DII . 

J.-P. Katoen (Ed.): ARTS’99, LNCS 1601, pp. 7.44 4TCTI 1999. 
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For the practical realisation of the algorithms we introduce BDD-based data struc- 
tures. During the recent years, BDDs |5I have been shown to enable an efficient, sym- 
bolic encoding of state spaces. In particular, the parallel composition operator can be 
defined on BDDs in a way which avoids the usually observed exponential blow-up due 
to interleaving of causally independent transitions fT^j. In this paper, we highlight how 
parallel composition and compositional aggregation can both be performed symboli- 
cally in a stochastic setting. 

This paper is organised as follows; Sec. 0 contains the definition of the languages 
and of the bisimulation relations which we consider. Sec. 0 presents the basic bisim- 
ulation algorithm for non-stochastic process algebras. Sec. 0 and Sec. 0 do the same 
for the purely Markovian case and for the case where both Markovian and immediate 
transitions are allowed. In Sec. 0 we focus on BDDs and introduce a novel stochastic 
extension, DNBDDs. Furthermore, we show how algorithms for parallel composition 
and bisimulation can benefit from the use of these data structures. The paper concludes 

with Sec.Cl 



2 Basic Definitions 



This section introduces the scenario that will be considered in the sequel. We define 
a language and its operational semantics. In addition, we recall the notions of strong 
and weak Markovian bisimilarity. We refer to lT5il for more details and motivating 
examples. 



Definition 1. Let Act be the set of valid action names and Pro the set of process names. 
We distinguish the action i as an internal, invisible activity. Let a S Act, P, Pi G £, 
A C Act \ {i}, and X G Pro. The set C of expressions consists of the following 
language elements: 

stop inaction 

a ; P action prefix (a, A) ; P Markovian prefix 

Pi [] P 2 choice Pi I [A] I P 2 parallel composition 

hide a in P hiding X process instantiation 

A set of process definitions {of the form X := P) constitutes a process environment. 

The following operational semantic rules define a labelled transition system (LTS) con- 

taining action transitions, ♦, and Markovian transitions, »■. The semantic rule 

for synchronisation of Markovian transitions is parametric in a function (j> determining 
the rate of synchronisation, in response to the fact that different synchronisation poli- 
cies (minimum, maximum, product, . . . ) are possible. Note, however, that the apparent 
rate construction of PEPA m requires a function 4>{P, Q, A, p) instead. 
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Strong and weak Markovian bisimilarity are defined in a variant of Larsen & Skou 
style Gl, using the function 7 : £ x Act x 2^ 1— > fR, often called the cumulative rate, 
defined as follows (we use {| and |} to denote multiset brackets): 



7(P, a, C) := J2xeE(p,a,c) where E{P, a, C) := {| A 



QiA , , ^ r. 

P ~^P' A P' G C G-. 



Definition 2. An equivalence relation B is a strong Markovian bisimulation, if 
{P, Q) € B implies that 

(i) P P' implies Q Q', for some Q' with {P' ,Q') G B , 

(ii) for all equivalence classes C of B and all actions a it holds that 

l{P,a,C) = -f{Q,a,C). 

Two expressions P and Q are strong Markovian bisimilar (written P Q) if they are 
contained in a strong Markovian bisimulation. 

Weak bisimilarity is obtained from strong bisimilarity by basically replacing 
with =====*•. Here, ====» denotes an observable a transition that is preceded and fol- 
lowed by an arbitrary number (including zero) of invisible activities, i.e. ====» := 

jf Q js internal (a = i), =====*• abbreviates — A-..* As discussed in 
, the extension from strong to weak Markovian bisimilarity has to take into account 
the interplay of Markovian and immediate transitions. Priority of internal immediate 
transitions gives rise to the following definition O- 

Definition 3. An equivalence relation B is a weak Markovian bisimulation, if(P, Q) G 
B implies that 

(/) P =====»• P' implies Q =====»■ Q' , for some Q' with (P' , Q') G B , 

(ii) if P ==J-==*. P' then there exists Q' such that Q ===L=». Q' and 

for all equivalence classes C of B and all actions a 
y{P',a,C)=y{Q',a,C). 

Two expressions P and Q are weak Markovian bisimilar ( written P k Q) if they are 
contained in a weak Markovian bisimulation. 
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In this definition, P denotes that P does not possess an outgoing internal im- 

mediate transition. We call such a state a tangible state, as opposed to vanishing states 

which may internally and immediately evolve to another behaviour (denoted P 

It can be shown that strong Markovian bisimilarity is a congruence with respect to 
the language operators, provided that (j> is distributive over summation of real values. 
The same result holds for weak Markovian bisimilarity except for congruence with 
respect to choice, see fT5H . 

In the sequel, we consider two distinct sub-languages of C. The first, C\, arises 
by disallowing Markovian prefix. This sub-language gives rise to an ordinary, non- 
stochastic process algebra, a subset of Basic LOTOS |3I| where only action transitions 
appear in the underlying LTS. On this language, strong and weak Markovian bisim- 
ilarity coincide with Milner’s non- stochastic strong and weak bisimilarity lE^ . The 
complementary subset, £ 2 , is obtained by disallowing the other prefix, action prefix. 
The resulting language coincides with MTIPP a la O (if (j> is instantiated with multi- 
plication), and both strong and weak Markovian bisimilarity coincide with Markovian 
bisimilarity on MTIPP. Note that Markovian bisimilarity agrees with Hillston’s strong 
equivalence |j22?l- The semantics of £2 only contains Markovian transitions, and we will 
refer to such a transition system as a stochastic LTS (SLTS). The complete language, 
where both prefixes coexist involves both types of transitions, and we shall call such a 
transition system an extended SLTS (ESLTS). 

3 Bisimulation Minimisation in Non-stochastic Process Algebras 

In this section, we introduce the general idea of iterative partition refinement, working 
with the language C\. We aim to set the ground for an understanding of the following 
sections. To illustrate the key ideas, we use as an example a queueing system, consisting 
of an arrival process and a finite queue. First, we model an arrival process as an infinite 
sequence of incoming arrivals (arrive), each followed by an enqueue action (enq). 



The behaviour of the queue is described by a family of processes, one for each value of 
the current queue population. 

Queuco := enq; Queuei 

Queuci := enq; Queuei+i [] deq; Queuei-i 1 < i < max 
Qneuejjiax ■ — deq, Queue,rnax—i 

These separate processes are combined by parallel composition in order to describe 
the whole queueing system. Hiding is used to internalise actions as soon as they are 
irrelevant for further synchronisation. 



Fig.n (top) shows the LTS associated with the System specified above for the case 
that the maximum queue population is max = 3. The LTS has 8 states, the initial state 
being emphasised by a double circle. Fig0(bottom) shows an equivalent representation, 
minimised with respect to weak bisimilarity. The original state space is reduced by 
replacing every class of weakly bisimilar states by a single state. 

Most algorithms for computing bisimilarity require a finite state space. Tradition- 
ally, they follow an iterative refinement scheme fmrm . This means that starting 



Arrival := arrive; enq; Arrival 



System := hide enq in (Arrival |[enq]| 
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Fig. 1. LTS of the queueing system example, before and after applying weak bisimilarity 



from an initial partition of the state space which consists of a single class (containing 
all states), classes are rehned until the obtained partition corresponds to a bisimulation 
equivalence. The result thus obtained is the largest existing bisimulation, in a sense the 
“best” such bisimulation, since it has a minimal number of equivalence classes. 

For the refinement of a partition, the notion of a “splitter” is very important. A 
splitter is a pair (a, Cgpi), consisting of an action a and a class Cgpi- During refinement, 
a class C is split with respect to a splitter, which means that subclasses and C~ are 
computed, such that subclass contains all those states from C which can perform 
an a-transition leading to class Cgpi, and C~ contains all remaining states. 

In the following, an algorithm for strong bisimulation is presented. The algorithm 
uses a dynamic set of splitters, denoted Splitters. Note that here we only present a 
basic version of the algorithm which can be optimised in many ways II11I29II . By a 
deliberate treatment of splitters, it is possible to obtain a time complexity 0{m log n), 
where n is the number of states and m is the number of transitions. 

1. Initialisation 

Partition := {S'} 

/* the initial partition consists of only one class which contains all states */ 

Splitters := Act x Partition 

!* all pairs of actions and classes have to be considered as splitters */ 

2. Main loop 

while (Splitters ^ 0) 

choose splitter (a, Cspi) € Splitters 

forall C £ Partition split{C, a, Cspi, Partition, Splitters) 

/* all classes (including Capi itself) are split */ 

Splitters := Splitters — (a, Cgpi) 

/* the processed splitter is removed from the splitter set */ 

It remains to specify the procedure split. Its task is to split a class C, using (a, Cspi) as 
a splitter. If splitting actually takes place, the input class C is split into subclasses C+ 
and C~ . 

procedure split(C, a, Cgpi, Partition, Splitters) 

C+ ~{P\PeC A 3Q-. (P Q A Q£ Cspi)} 
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Fig. 2. Initialisation, first and second refinement step of the algorithm 



/* the subclass is computed */ 
if (C+ 7^ C A C+ 7^ 0) 

/* only continue if class C actually needs to be split */ 

C~ -.= 0- C+ 

/* C~ is the complement of with respect to C */ 

Partition := Partition U {C'^ , C~} — {C} 

Splitters := Splitters U {Act x {C^ , C~}) — Act x {C} 

/* the partition and the splitter set are updated */ 

We illustrate the algorithm by means of the above queueing example. In fact, we shall 
compute weak instead of strong bisimilarity. The only change that is necessarry for 
this purpose concerns the transition relation used in procedure split, which is 
replaced by the weak relation =====»•. However, this requires the computation of ====» 
during the initialisation phase. As a matter of fact, the computation of ==§=» dominates 
the complexity of partition rehnement, basically because the reflexive and transitive 

closure of internal moves has to be computed in order to build the weak tran- 

sition relation. The usual way of computing a transitive closure has cubic complexity. 
(Some slight improvements are known for this task, see for instance l^^]. In any case, 
this is the computationally expensive part.) 

The LTS is depicted in Fig. |2| (top) where we have used a particular shading of 
states in order to visualize the algorithm. In the beginning all states are assumed to be 
equivalent, and hence, all states are shaded with the same pattern. We use ^ to refer 
to the set of states shaded like So, Partition := {^}, and Splitters is initialised 
accordingly. 

After computing the weak transition relation ===», we start partition refinement by 
choosing a splitter, say {deq, and computing split{^, deq, ^). The initial state 
has no possibility to perform a ===£3==* transition in contrast to all other states. Therefore 
^ and ^ = CA). As a consequence. Partition becomes {Cd, and 
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Fig. 3. Semantic model of the Markovian queueing system, isomorphic to a CTMC 



new splitters are added to Splitters while the currently processed one, {deq, ^), is 
removed. This completes the first iteration and leads to the situation depicted in Fig. Q 
(middle). 

By choosing a different splitter, say {deq,Co), we start the next iteration. 
Since Partition now contains two elements, we compute split{C:o,deq,C:S) and 
split{t^,deq,CS). Cd cannot be split any further, while splitting of ^ returns 
^ and = fig). Updating Partition to {C^, 1%, fiS)} and adding new 

splitters leads to the situation depicted in Fig.EI(bottom). Subsequent iterations of the 
algorithm will divide Cjj> further, leading to five partitions in total. The algorithm ter- 
minates once the set Splitters is empty. 

4 The Markovian Case 

In this section, we consider the MTIPP-style language £2 where all actions are asso- 
ciated with a delay which is an exponentially distributed random variable. In addition, 
MTIPP instantiates (p with the product of rates, for reasons discussed (for instance) in 
The semantic model of a process from the language £2 is an SLTS, only contain- 

a, A 

ing transitions of the form 

We return to our example of a queueing system. The arrival process is now modelled 
as follows, employing the Markovian action prefix: 

Arrival := {arrive, X); {enq, 1); Arrival 
Action arrive occurs with rate A, whereas for action enq we specified the (passive) rate 
1, the neutral element of multiplication. The queue process determines the actual rate 
of enq, occuring as a result of synchronisation via enq. 

Queues := {enq,rj); Queuei 

Queuei ■= {enq,rj); Queuei+i [] {deq,6); Queuei-i 1 <i < max 
Queue^jiax ■ — {deq,S{, Queue^nax—i 

Fig. ^depicts the SLTS obtained from the parallel composition of processes Arrival 
and Queueo synchronised over action enq. 

From a given SLTS one can immediately construct a continuous time Markov chain 
(CTMC ||2-5|V The arcs of the CTMC are given by the union of all the transitions joining 
the LTS nodes (regardless of their labels), and the transition rate is the sum of the 
individual rates. This is justified by the properties of the exponential distribution, in 
particular the fact that the minimum of two exponentially distributed random variables 
with rates Ai , A2 is again exponentially distributed with rate Ai -I- A2. Transitions leading 
back to the same node (loops) can be neglected, since they would have no effect on the 
balance equations of the CTMC. The CTMC carries only the (cumulated) rate labels. 
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Fig. 4. split Jree used by procedure split' 

Performance measures can then be derived by calculating the steady-state or transient 
state probabilities of the CTMC. 

As already mentioned, both strong and weak Markovian bisimilarity coincide with 
Markovian bisimilarity a la MTIPP on this language. The technical reason is that the 
hrst clauses of DehnitionEland Definition Glare irrelevant, while the respective second 
clauses both boil down to ^{P, a, C) = 7(Q, a, C) for all actions a and classes C. This 
equiva lence notion has a direct correspondence to the notion of lumpability on CTMCs 
12-512211 . As a consequence, the algorithm which we develop can be used to efficiently 
compute lumpable partitions of an SPA description (as well as a CTMC in isolation). 
The basic bisimulation algorithm is the same as in Sec.Gl only the procedure split needs 
to be modified. Procedure split' now uses a data structure split Jtree which is shown in 
Fig. a It essentially sorts states according to their 7-values. During refinement, when 
a class C is split by means of a splitter (a,Cspi), possibly more than two subclasses 
C'71 , 1^72 1 ■ • • I C'7fc will be generated. Input class C is split such that the cumulative rate 
7(P, a, Cspi) = 7j is the same for all the states P belonging to the same subclass , 
a leaf of the split Jtree. 

procedure split' {C, a, Capi, Partition, Splitters) 

forall P G C 

7 := 'y{P,a,Cspi) 

/* the cumulative rate from state P to Capi is computed */ 
insert{splitjree, P, 7) 

/* state P is inserted into the split Jree *1 
!* now, split Jree contains k leaves , . . . , C-yj, */ 
if (fc > 1) 

/* only continue if C has been split into k > 1 subclasses */ 

Partition := Partition U {C-y^ , C72 , ■ • ■ , } — {C} 

Splitters := Splitters U {Act x {Cj^ , , ■ ■ ■ , — Act x {C} 

/* the partition and the splitter set are updated */ 

In the forall loop of procedure split', the cumulative rate 7 is computed for every state 
P in class C, and state P is inserted into the split Jtree such that states with the same 
cumulative rate belong to the same leaf (procedure insert). The split Jtree has k leaves, 
i.e. k different values of 7 have appeared. If splitting has taken place (i.e. if fc > 1), the 
partition must be refined and the set of splitters has to be updated. 

Theorem 1. The above algorithm computes Markovian bisimilarity on a given SLTS. It 
can be implemented such that the time complexity is of order 0{m log n) and the space 
complexity is of order 0{m + n), where n is the number of states and m is the number 
of transitions. 
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Fig. 5. ESLTS of the queueing system example, before and after applying weak Marko- 
vian bisimilarity 



The detailed proof is given in i I Sll . As in O. the crucial point to obtain the time com- 
plexity of non-stochastic strong bisimilarity is that all but one of the largest subclasses 
C^. are actually inserted into the set Splitters of potential splitters. (No assumptions 
about the time complexity of arithmetic operations are required). 



5 Markovian and Immediate Actions 

In this section, we consider the complete language C where both immediate and Marko- 
vian actions coexist. Again, we return to our queueing system example. In the arrival 
process, action arrive has an exponential delay, whereas action enq is immediate. 
Arrival := {arrive, X)', enq; Arrival 

The specification of the Queue is again modified with respect to Sec.|3 i.e. action enq 
is immediate and action deq has exponential delay. 

Queues := enq; Queuei 

Queuei := enq] Queuei+i [] {deq, 5)] Queuei-i l<i < max 
Qneuejxiax ■ — Queuetnax—i 

The overall system is again given by the composition of Arrival and Queues, where 
enq is hidden after synchronisation. The semantic model of such a specification from 
the language C is an ESLTS with two types of transitions: Markovian transitions — 
and action transitions ---♦. Fig. (top) depicts the ESLTS for the example queueing 
system. In the context of our complete language £, the notion of weak Markovian 
bisimilarity is central for associating a CTMC to a given specification. The reason is 
that immediate transitions do not have a counterpart on the level of the CTMC. Weak 
Markovian bisimilarity justifies to eliminate internal immediate transitions such that a 
SLTS, and hence an (action labelled) CTMC results from the quotient transition system 
(the transition system obtained by representing each equivalence class by a single state). 
The details of this strategy are described in (HHII1- In order to illustrate how the rela- 
tion can be used to achieve this, the equivalence classes of weak Markovian bisimilarity 
are indicated in Fig.El(bottom). Note, however, that this effect relies on abstraction of 
immediate actions before applying weak Markovian bisimilarity. Furthermore, a unique 
CTMC exists only if nondeterminism is absent after applying weak Markovian bisim- 
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ilarity. The absence of nondetermininsm is easy to check on the quotient transition 
system. 

Accordingly, an algorithm to compute weak Markovian bisimilarity is central for 
deriving the quotient transition system, and hence the CTMC. (In principle, the CTMC 
could also be derived from a specification by purely syntactic transformations, using 
the complete axiomatisation from .) Our algorithm is based on the one given in the 
previous section, but proceeds in a different way. The technical reason is that, similar 
to the computation of branching bisimilarity O, refining a partition by means of a 
splitter might cause that the refinement with respect to already processed splitters has 
to be repeated for this partition^ This is a crucial difference with respect to the al- 
gorithms we have described before, for which termination is only guaranteed because 
refinement with respect to an already processed splitter is never repeated for that split- 
ter. For branching bisimilarity, the problem is tackled in il, by introducing a distinct 
treatment of vanishing states. Bouali has adopted this machinery to compute also weak 
bisimilarity [@J. Indeed our algorithm is based on this adaption. 

We use P P' to indicate that P may internally and immediately evolve to a tan- 
gible state P\ i.e. where no further internal immediate transition is possible. Formally, 

P P' iff P ==i=» P' for some P' with P' If there is at least one tangible 

state P' that can be reached from P via a (possibly empty) sequence of internal imme- 
diate transitions we use the predicate P ^ . Note that P ^ whenever P is tangible. 
The converse situation, where a (vanishing) state P has no possibility to internally and 
immediately evolve to a tangible state, is denoted P . We refer to such states as di- 
vergent states, as opposed to convergent states (satisfying P ^). For the presentation 
of the algorithm, we first restrict to transition systems that do not contain divergent 
states. This is done to simplify the exposition, the general case is discussed afterwards. 
Restricted to divergence-free ESLTS, the basic algorithm is as follows. 

1. Initialisation as before in Sec.0 In addition, weak transitions ===» are computed from — 

2. Main loop 

while (Splitters ^ 0) 
choose splitter (a, C^pi) 

forall C £ Partition split{C, a, Cspi, Partition, Splitters) 

/* all classes are split with respect to weak transitions */ 

forall C £ Partition split" (C, a, Cspi, Partition, Splitters) 

/* all classes are split with respect to Markovian transitions */ 

Splitters := Splitters — {a, Cspi) 

/* the processed splitter is removed from the splitter set */ 

The main loop contains two different procedures, split and split" requiring further 
explanation. The first, split{C, a, Cgpi, Partition, Splitters), refines with respect to 
clause (i) of Definitional This is achieved using the procedure split of Sectional 
but applied on weak transitions, as in the example of Sec. El The second procedure, 
split" {C, a, Cspi, Partition, Splitters), is more complicated. It refines with respect 
to the second clause of DefinitionEl The details are given below. 



* In terms of Cl, stability is not inherited under refinement. 
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Fig. 6. Initialisation and first refinement step of the algorithm 



procedure split” (C, a, Cspi, Partition, Splitters) 

forall P eC A P -/■--* 

/* P is a tangible state */ 

7 := 'y{P,a,Cspi) 

/* the cumulative rate to Capi is computed */ 
insert{splitjree, P, 7) 

/* state P is inserted into the split J^ree */ 

!* now, split Jtree contains k leaves (7^.^ , . . . , */ 

forall P eC A P 

/* P is a vanishing state */ 
if(3 7j : P'^Q ^ QeC-,^) 

/* P can internally and immediately reach tangible states of class C-y^ only */ 
insert{split Jtree, P, jj) 

Partition := Partition U {Cj^ , C-y^ ■,■■■, } — {C} 

Splitters := Splitters U {Act x {C^y , C-y^ ,■■■ , C-yy.}) — Act x {C} 

!* the partition and the splitter set are updated */ 

it{C^[SlC,,) 

/* some vanishing states have not been covered yet */ 

Partition := Partition U {C — 

Splitters := Splitters U {Act x {C — [fyC,,}) 

I* all remaining vanishing states form a new class, since they can internally 
and immediately evolve to tangible states belonging to different classes */ 

The reader is invited to check the result depicted in Fig. El by means of this algorithm. 
In order to facilitate the inspection, tangible states are highlighted by bold circles in 
the figure. In order to illustrate the algorithm on a nontrivial example, where all the 
distinctions between different types of vanishing states matter, we consider a different 
example, depicted in Fig.|5|(top). 
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The initialisation proceeds as usual, after computing the weak transition rela- 
tion ====»•, we start the algorithm by choosing a splitter, say (a, and computing 
split{^,a, ^). Two states may perform a ====» transition in contrast to all other 
states. Therefore ^ and ^ = Cd. Partition and Splitters are updated 

accordingly, leading to the situation depicted in Fig. [^(middle). 

The subsequent invocation of split” {Co, a, is most interesting (as opposed 
to split” {t^, a, ^)). First, the three tangible markings (indicated by bold circles) in 
class Co are inserted into splitJree, according to their cumulative rates of moving into 
(former) class This leads to a tree with two leaves, C2A and C\, containing two, re- 
spectively one state. Now the three remaining vanishing states are treated: The righmost 
vanishing states can internally and immediately evolve only to tangible states of class 

C\ (note that according to Definition 0 the transition — ^ >• is irrelevant since it orig- 

inates in a vanishing state). For the same reason, the left vanishing state is inserted into 
class C2A- Only the initial state is not covered yet, since it has an internal, nondetermin- 
istic choice of behaving as a member of either of the classes. Hence, this state forms a 
new class, SC3 ■ In total, split” {Cj, a, has split Cd into 1^, Co (representing C2A 
and Ca), and , leading to the situation depicted in Fig. 0 (bottom)(the Partition 
and Splitters are updated accordingly). This situation incidentally coincides with the 
classes of weak Markovian bisimilarity, because subsequent refinement steps do not re- 
veal any distinction in one of these four classes. The algorithm terminates once the set 
Splitters is emptied. 

To overcome the restriction to divergence-free ESLTS, a few modifications in the 
initialisation and the main loop of the algorithm are necessary. Algorithmically, the 
second clause of Definition 0 needs not to be checked at all for divergent states, while 
the first clause is still relevant. Furthermore, the second clause of Definition 3 implies 
that no convergent state is weakly Markovian bisimilar to a divergent state. These facts 
justify to (1) separate convergent and divergent states during inititalisation, and to (2) 
exclude the refinement of classes of divergent states by means of procedure split” in 
the main loop of the algorithm. Recall that split” implements refinement with respect 
to the second clause of Definition 0 So, for the general case, the algorithm becomes as 
follows, where split and split” are as before: 

1. Initialisation 

Weak transitions ===» are computed from 
Con--{{PeS I P^}} 

Div~{{PeS I P)i}} 

!* the initial partition consists of two disjoint classes */ 

Splitters := Act x (Con U Div) 

!* all pairs of actions and classes have to be considered as splitters */ 

2. Main loop 
y/Ya\t{S platers 7^ 0) 

choose splitter (a, Cspi) 

forall C £ Con split{C, a, Cspi, Con, Splitters) 

I* all classes of convergent states are split with respect to weak transitions */ 
forall C £ Div split{C, a, Cspi, Div, Splitters) 

/* all classes of divergent states are split with respect to weak transitions */ 
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forall C G Con split" {C, a, Cgpi, Con, Splitters) 

/* only the classes of convergent states are split with respect to Markovian transitions */ 
Splitters := Splitters — {a, Cgpi) 

/* the processed splitter is removed from the splitter set */ 

An implementation of this algorithm, based on 12511 514111 has a cubic time complexity. 



Theorem 2. The above algorithm computes weak Markovian bisimilarity on a given 
ESLTS. It can be implemented such that it requires 0{n^) time and 0{n^) space, where 
n is the number of states. 

The proof is given in IL5II . for the divergence-free as well as the general case. It is worth 
pointing out that non-stochastic weak bisimulation essentially has the same complexity, 
due to the fact that a transitive closure operation is needed to compute weak transitions 
in either case. 

6 Symbolic Representation with BDDs 

In this section, we discuss details of a BDD-based implementation of the above al- 
gorithms. BDDs are specific representations of Boolean functions and have recently 
gained remarkable attention as efficient encodings of very large state spaces. In a pro- 
cess algebraic context, this efficiency is mainly due to the fact that the parallel composi- 
tion operator can be implemented on BDDs in such a way that the size of the data struc- 
ture only grows linearly in the number of parallel components, especially for loosely 
coupled components. This compares favourably to the exponential growth caused by 
the usual operational semantics, due to the interleaving of causally independent transi- 
tions. We explain how LTSs can be encoded as BDDs and illustrate a way to include the 
rate information of (E)SLTS into this data structure and the bisimulation algorithms. To 
complete the picture, we also discuss parallel composition on BDDs. 

6.1 Binary Decision Diagrams and the Encoding of LTSs 

A Binary Decision Diagram (BDD) @ is a symbolic representation of a Boolean func- 
tion / : {0,1}"^ {0,1}. Its graphical interpretation is a rooted directed acyclic graph, 
essentially a collapsed binary decision tree in which isomorphic subtrees are merged 
and “don’t care’’ nodes are skipped (a node is called “don’t care” if the truth value of 
the corresponding variable is irrelevant for the truth value of the overall function). It 
is known that BDDs provide a canonical representation for Boolean functions, assum- 
ing a fixed ordering of the Boolean variables. Algorithms for BDD construction from a 
Boolean expression and for performing Boolean operations (and, or, not, . . . ) on BDD 
arguments all follow a recursive scheme. 

A LTS can be represented symbolically by a BDD. The idea is to encode states and 
actions by Boolean vectors (for the moment, we look at the non-stochastic case where 
it is not necessary to consider information about transition rates). One transition of the 
LTS then corresponds to a conjunction of -f 2n,s literals (a literal is either a Boolean 
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Fig. 7. LTS, transition encoding and corresponding BDD for Queues 



variable or the negation of a Boolean variable) Aj=i Aj=i A’ where literals 

a\ . . . a„„ encode the action, si . . . identify the source state and ti . . . the target 
state of the transition (we assume that the number of distinct actions to be encoded is 
between 2”““^ and 2”“ + 1, so that na bits are suitable to encode them, and similarly 
for the number of states). The overall LTS corresponds to the disjunction of the terms 
for the individual transitions. The size of a BDD is highly dependent on the chosen 
variable ordering. In the context of transition systems, experience has shown that the 
following variable ordering yields small BDD sizes ca: 

ai < . . . < < Si < < S2 < A < ■ • ■ < 

i.e. the variables encoding the action come first, followed by the variables for source 
and target state interleaved. In particular, this ordering is advantageous in view of the 
parallel composition operator discussed below. 

To illustrate the encoding, Fig.Qshows the LTS corresponding to the Queues pro- 
cess from Sec. 0 (assuming, again, that max = 3), the way transitions are encoded 
and the resulting BDD (in the graphical representation of a BDD, one-edges are drawn 
solid, zero-edges dashed, and for reasons of simplicity, the terminal false-node and its 
adjacent edges are omitted). Since there are only two different actions {enq and deq), 
one bit would be enough to encode the action. However, in view of action arrive which 
will be needed for process Arrival, we use two bits to encode the action, i.e. Ua = 2. 
The LTS has four states, therefore two bits are needed to represent the state, i.e. Ug = 2. 
In the BDD, one can observe the interleaving of the Boolean variables for the source 
and target state. 

The parallel composition operator can be realised directly on the BDD representa- 
tion of the two operand processes. Consider the parallel composition of two processes, 
P — Pi \ [A] \ P 2 , and assume that the BDDs which correspond to processes Pi and P 2 
have already been generated and are denoted Vi and 7^2- The set A can also be coded 
as a BDD, namely A. The BDD V which corresponds to the resulting process P can 
then be written as a Boolean expression: 

p= {Vi A A) A {P 2 A A) 

V {Vi A A Stab ) 

V {V 2 A .4 A Stabp^) 
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Fig. 8. Intermediate and final BDD results for parallel composition of Arrival and 
Queueo 

The term on the first line is for the synchronising actions in which both Pi and P 2 par- 
ticipate. The term on the second (third) line is for those actions which Pi (P 2 ) performs 
independently of P 2 {Pi ) — these actions are all from the complement of A. The mean- 
ing of Stabp^ (Stabp^) is a BDD which expresses stability of the non-moving partner 
of the parallel composition, i.e. the fact that the source state of process P 2 {Pi) equals 
its target state. 

We illustrate parallel composition by means of our queueing example. Fig. 0 shows 
the intermediate and final BDDs when performing BDD-based parallel composition of 
processes Arrival and Queueo. In the second (third) BDD one can observe the parts 
which express stability of process Queueo (Arrival). Even in this small example we 
observe the general tendency that the size of the resulting BDD (25 nodes, including the 
terminal false-node not shown) is in the order of the sum of the sizes of the two partner 
BDDs (15 nodes for Queueo nnd 8 nodes for Arrival, cf. Fig. [7|and Fig. 0. Thus, 
using BDD-based parallel composition, the typically observed exponential growth of 
memory requirements can be avoided. 

The BDD resulting from the parallel composition, V, describes all transitions which 
are possible in the product space of the two partner processes. Given a pair of initial 
states for Pi and P 2 , only part of the product space may be reachable due to synchroni- 
sation constraints. Reachability analysis can be performed on the BDD representation, 
restricting V to those transitions which originate in reachable states. 



6.2 Symbolic Bisimulation 

The basic bisimulation algorithm of Sec. 0 and its various optimisations can be realised 
efficiently using BDD-based data structures. For convenience, the transition system is 
represented not by a single BDD, but by a set of BDDs Ta{s, t), one for each action a 
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(here, s and t denote vectors of Boolean variables of length Us). The current partition 
is stored as a set of BDDs {Ci(s), C 2 (s), . . .}, one for each class. When class C is 
split into subclasses C+ and C~ during execution of procedure split, those subclasses 
are also represented by BDDs. The dynamic set of splitters, Splitters, is realised as a 
pointer structure. The computation of the subclass C~^ in procedure split is formulated 
as a Boolean expression on BDD arguments 

C+(s) := C(s) A 3 f : (T,(s,f) A Cspi(t)) 
where the existential quantification is also performed on BDDs. 

6.3 BDDs with Rate Information 

Clearly, pure BDDs are not capable of representing the numerical information about 
the transition rates of a stochastic LTS. In the literature, several modifications and aug- 
mentations of the BDD data structure have been proposed for representing functions 
of the type / : {0, 1}" — > IR. Most prominent among these are multi-terminal BDDs 
|l8(, edge- valued BDDs [2^ and Binary Moment Diagrams (BMD) (7I|. In all of these 
approaches, the basic BDD structure is modified and the efficiency of the data structure, 
due to the sharing of isomorphic subtrees, may be diminished. Based on this observa- 
tion, we developed a different approach which we call decision-node BDD (DNBDD) 
The distinguishing feature of DNBDDs is that the basic BDD structure remains 
completely untouched when moving from an LTS encoding to an SLTS encoding. The 
additional rate information is attached to specific edges of this BDD in an orthogonal 
fashion. 

In a BDD representing a LTS, a path p from the root to the terminal true-node 
corresponds to 2^ transitions of the transition system, where k is the number of “don’t 
care” variables on that path (for an example of a “don’t care” see Fig. 10 below). Since 
these transitions are labelled by 2^ distinct rates, we need to assign a rate list of length 
2^ to that path. Let rates{p) denote a list of real values (Aq, . . . , A 2 fc_i), where k is 
the number of “don’t cares” on path p. The correspondence between transitions and 
individual rates of such a list is implicitly given by the valuation of the encoding of the 
transitions on “don’t care” nodes, which ranges from 0 to 2^ — 1. 

For the practical realisation of this concept, and in order to make our representation 
canonical, we must answer the question of where to store the rate lists. This leads to the 
following consideration: Instead of characterising a path by all its nodes, we observe 
that a path is fully characterised by its decision nodes. 

Definition 4. A decision node is a non-terminal BDD node whose successor nodes are 
both different from the terminal false-node. A decision node BDD (DNBDD) is a BDD 
enhanced by a function 

rates : Paths 

where Paths is the set of paths from the root node to the terminal true-node (and {IRff 
is the set of finite lists of real values), such that for any such path p, 

rates{p) G {1RY'° 

if k is the number of “don't cares" on path p. The list rates(p) = (Aq, . . . , A 2 fc_i) is 
attached to the outgoing edge of the last decision node on path p, i.e. the decision node 
nearest to the terminal true-node. 
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Fig. 9. DNBDDs for the queueing example (shorthand notation: X = r])){S){S)) 



To illustrate the DNBDD concept, we return to our queueing example. Fig. 0 shows the 
DNBDDs associated with processes Arrival, Queueg and Arrival \ [enq] \ Queues (in 
the hgure, decision nodes are drawn hlack). On the left, rates A and 1 are attached to the 
outgoing edges of the (single) decision node of the BDD. In the middle, six individual 
rates are attached to the appropriate edges. On the right hand side, up to three rate 
lists, each consisting of a single rate, are attached to BDD edges. For instance, the rate 
lists (<5)(<5) specify the rates of the two transitions encoded as bitstrings 10110010 and 
10000010 whose paths share the last decision node. 

In the case where several rate lists are attached to the same BDD edge (because 
several paths share their last decision node) it is important to preserve the one-to-one 
mapping between paths and rate lists. This could simply be accomplished by the lex- 
icographical ordering of paths. For algorithmic reasons, however, we use a so-called 
rate tree, an unbalanced binary tree which makes it possible to access rate lists during 
recursive descent through the BDD IBUI . In our current implementation of DNBDDs, 
the rate tree is implemented as illustrated in Fig. ^3 This figure (left) shows the en- 
coding of the transitions of some SLTS, each of the transition being associated with a 
rate. The first two transitions share the same path, a path which has a “don’t care” in 
the Boolean variable s. Therefore, the corresponding rate list (Aq, Ai) has length two. 
The other four paths do not have any “don’t care” variables, they each correspond to 
exactly one transition of the SLTS and the corresponding rate lists have length one. The 
latter four paths all share their last decision node. Therefore each of the outgoing edges 
of that decision node carries two rate lists (of length one). The rate tree is built as a 
separate data structure from the BDD. However, its internal nodes and the rate lists are 
associated with the decision nodes of the BDD as indicated in Fig. O (right). The rate 
tree is manipulated by an appropriate extension of the procedures which manipulate the 
BDD. This implementation of the rate tree has the drawback that it requires the explicit 
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(ax,ci2,s,t) — > rate 

(0, 1,0, 1) ^ Aq 

(0, 1, 1, 1) ^ Ai 

(0,0,0, 1) ^ a 

( 0 , 0 , 1 , 0 ) ^ 0 
( 1 , 0 , 0 , 1 ) ^ 7 
(1,0, 1,0) ^ S 




Fig. 10. Encoded transitions with rates, and corresponding DNBDD with rate tree 

storage of one rate for each encoded transition which may cause considerable overhead. 
We are currently investigating this issue0 

Parallel composition of two SLTSs based on their symbolic representation follows 
the same basic algorithm as sketched in Sec. 16.11 Similar to the fact that the operational 
rules in Sec. 0 are parametric in the synchronisation policy, the concept of DNBDDs 
is not bound to a particular choice of function (/), any arithmetic expression of the two 
individual rates can be employed. 

6.4 Symbolic Markovian Bisimulation 

We now discuss aspects of a DNBDD-based algorithm which computes Markovian 
bisimulation on SLTSs. The basic bisimulation algorithm is the same as in Sec.01 only 
the procedure split' needs to be adapted. When using DNBDDs, the cumulative rate 
of action a from state P to class Cgpi is computed in the following way: We compute 
T a (s,t), the DNBDD which represents all a-transitions from state P to states 
from class Cgpi- It can be obtained by restricting Ta{s,t) to the single source state P 
and to target states from class Cgpi (again, the transition relation is represented by indi- 
vidual DNBDDs Ta{s, t), one for every action a, and class C is represented by a BDD 

cm 

Tp - p, (s, t) := Ta{s, t) A (s=P) A Cspi{t) 

We use the notation s=P to denote that state P is encoded as Boolean vector 
s. The cumulative rate j{P,a,Cspi) is then computed by applying the function 
sum_of .alljrates to T a (s,f). This function simply sums up all the entries of 
all rate lists of a DNBDD. For example, application of the function surri-of -all jrates 
to the DNBDD in Fig. ^yields Aq -f Ai -|-a-|-/3-|-7-|-<5. Furthermore, in the split-tree 
used by procedure split' (Fig.0 the subclasses C-,, , . . . , are now also represented 
by BDDs. 

procedure split' {C, a, Cspi, Partition, Splitters) 

forall P €C 

(s,t) ■-Ta(s,t) A (s=P) A Cspi {t) 

^ In order to avoid such redundancies, an efficient data structure to represent rate trees might 
itself be based on BDDs. 
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'y := sum-0 f -all jrates{T a [s,t)) 

/* the cumulative rate from state P to Capi is computed */ 
insert{split-tree, P, 7) 

/* state P is inserted into the split-tree */ 

!* now, split-tree contains k leaves C-y -^ , . . . , C-y^. *! 
if (fc > 1 ) 

/* the remaining part of procedure split' is as in Sec.0 */ 

/* hut Partition and Splitters are represented as BDDs */ 

6.5 BDDs with and without Rate Information 

The semantics of the complete language C comprises both types of transitions, ac- 

tion transitions and Markovian transitions in one transition system, an 

ESLTS. Using the knowledge developed in the previous sections, an ESLTS can be 
encoded by means of two separate data structures, using BDDs to encode action transi- 
tions and DNBDDs to encode Markovian transitions. Also, during parallel composition, 
the component BDDs are treated separately from the component DNBDDs. Therefore 
the treatment of ESLTS does not pose specific problems. Furthermore, the computation 
of weak Markovian bisimilarity (Sec. 0) can be lifted to this combination of BDD and 
DNBDD. The computation of the weak transition relation ===» from ---♦ during the 
initialisation step can easily be performed on the BDD for the action transitions. Only 
the first part of function split" requires the DNBDD information, in order to sort tan- 
gible markings in a split-tree (the tangibility predicate is encoded as a BDD as well), 
in analogy to the implementation of function split' given in Sec. El The subsequent 
steps work completely on BDDs. 



7 Conclusion 

In this paper, we have discussed efficient algorithms to compute bisimulation style 
equivalences for Stochastic Process Algebras. In addition, we have presented details 
of a BDD-based implementation of these algorithms, introducing DNBDDs to repre- 
sent the additional rate information which is relevant for the analysis of the underlying 
Markov chain. 

The complexity results established in this paper allow the following simple conclu- 
sion: the computational complexity of computing bisimulation equivalences does not 
increase when moving from a non-stochastic to a stochastic setting. For Markovian 
bisimilarity this fact is also mentioned (in similar settings) in m and in H. 

The usefulness of BDDs to encode transition systems has been stressed by many 
authors. However, we would like to point out that the myth, saying that BDDs always 
provide a more compact encoding than the ordinary representation (as a list or a sparse 
matrix data structure), does not hold in general. A naive encoding of transition sys- 
tems as BDDs does not save space. Heuristics for encodings are needed, exploiting the 
structure of the specihcation. The implementation of parallel composition on BDDs is 
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indeed such a heuristics, and a very successful one, since an exponential hlow-up can 
be turned into a linear growth. 

Apart from encoding transition systems as (DN)BDDs and parallel composition on 
(DN)BDDs, we have described how bisimulation algorithms can be implemented on 
these data structures. As a consequence, all the ingredients are at hand for carrying out 
compositional aggregation of SPA specihcations in a completely BDD-based frame- 
work. In this way, the state space explosion problem can be alleviated. We are currently 
implementing all these ingredients in a prototypical tool written in C, based on our own 
DNBDD package 0. However, in order to obtain performance results, the (minimised) 
BDD representation still has to be converted back to the ordinary representation, since 
we do not yet have a Markov chain analyser which works directly on DNBDDs. Numer- 
ical analysis based on DNBDDs is one of our topics for future work. For this purpose, 
it seems beneficial to investigate the actual relation between DNBDDs and MTBDDs, 
since MTBDD-based numerical analysis methods have already been developed 
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Abstract. We describe the automata-theoretic approach to the algorithmic veri- 
fication of probabilistic finite-state systems with respect to linear-time properties. 
The basic idea underlying this approach is that for any linear temporal formula 
we can construct an automaton that accepts precisely the computations that sat- 
isfy the formula. This enables the reduction of probabilistic model checking to 
ergodic analysis of Markov chains. 



1 Introduction 

Temporal logics, which are modal logics geared towards the description of the temporal 
ordering of events, have been adopted as a powerful tool for specifying and verifying 
concurrent systems IPnuSIl . One of the most significant developments in this area is the 
discovery of algorithmic methods for verifying temporal logic properties of finite-state 
systems lCE81i|0S81| , ILP85iiCES86l . This derives its signihcance both from the fact 
that many synchronization and communication protocols can be modeled as finite-state 
programs, as well as from the great ease of use of fully algorithmic methods. Finite- 
state programs can be modeled by transition systems where each state has a bounded 
description, and hence can be characterized by a fixed number of Boolean atomic propo- 
sitions. This means that a finite-state program can be viewed as a finite propositional 
Kripke structure and that its properties can be specihed using propositional temporal 
logic. Thus, to verify the correctness of the program with respect to a desired behavior, 
one only has to check that the program, modeled as a hnite Kripke structure, satisfies (is 
a model of) the propositional temporal logic formula that specihes that behavior. Hence 
the name model checking for the verification methods derived from this viewpoint. Sur- 
veys can be found in IC(iL93lfWol89l . 

For linear temporal logics, a close and fruitful connection with the theory of au- 
tomata over infinite words has been developed 1 VW861 ^VW941fYar96j . The basic idea 
is to associate with each linear temporal logic formula a hnite automaton over inhnite 
words that accepts exactly all the computations that satisfy the formula. This enables 
the reduction of various decision problems, such as satishability and model-checking, 
to known automata-theoretic problems, yielding clean and asymptotically optimal algo- 
rithms. Furthermore, these reductions are very helpful for implementing temporal-logic 
based verihcation methods, and are the key to techniques such as on-the-fiy verihcation 
ICVWY92I1 that help coping with the “state-explosion” problem. 

* Supported in part by NSF grants CCR-9628400 and CCR-9700061, and by a grant from the 
Intel Corporation. URL: http : / /www. cs . rice . edu/~vardi . 

J.-P. Katoen (Ed.): ARTS’99, LNCS 1601, pp. 7.6S 4T7^ 1999. 
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In view of the attractiveness of the model-checking approach, one would like to 
extend its applicability as much as possible. In particular, we would like to extend the 
model-checking approach to deal with probabilistic systems, since the introduction of 
probabilistic randomization into protocols has been shown to be extremely useful (see, 
for example, HLR81II ). For probabilistic systems the situation becomes more complex. 
In such systems there is a probability measure dehned on the set of computations. The 
notion of correctness now becomes probabilistic: we study here the notion that the 
program is correct if the probability that a computation satisfies the specification is one. 
(For investigations of quantitative notions of correctness, see, for example, fHM .i 
Even in this setting, the automata-theoretic approach is very useful, as was shown in 
IVar85lfVW861iCYTO |CY95| . In this paper we provide an overview of the automata- 
theoretic approach to probabilistic model checking of linear temporal properties. We 
show how it provides essentially optimal algorithms in most cases, and highlight one 
case where it does not. 

2 Automata Theory 

A nondeterministic automaton words is a tuple A = {S, S, So, p, a), where 

- 27 is a finite alphabet, 

- S' is a finite set of states, 

- So C S is a set of initial states, 

- p:Sx27^2‘®isa (nondeterministic) transition function, and 

- a is an acceptance condition (will be defined precisely later). 

A state s S S is deterministic if |p(s, a)| = 1 for all a S 27. The automaton A is 
said to be semi-deterministic if all states are deterministic. If in addition |So| = 1, then 
A is said to be deterministic. 

A run of A over a infinite word w = ai02 . . ., is a sequence so> si, . . ., where 
So G So and Si G p(si-i, Ui), for all i > 1. Acceptance is defined in terms of limits. 
The limit of a run r = so, si, . . . is the set lim(r) = {s | s = Si infinitely often}. 
A Biichi acceptance condition is a set F C S of accepting states. A set T C S is 
accepting if T n F 7^ 0. Note that when F = S, all sets are accepting; we call such an 
accepting condition a trivial acceptance condition. A Rabin condition is a subset G of 
2 ^ X 2'^, i.e., it is a collection of pairs of sets of states, written [(Fi, U \), . . . , (Ffc, Uk)]- 
A set T is accepting if for some i we have that T Li ^ % and F fl C/j = 0. A Streett 
condition is also a subset G of 2'^ x 2'^, written [{Lx, Ui), . . . , {Lk, Uk)\. A set T is 
accepting if for for all i we have that if T n Fi 7^ 0, then T n Ui ^ id (thus, Streett 
acceptance is dual to Rabin acceptance). Note that Biichi acceptance is a special case 
of both Rabin acceptance (the pair (F, 0)), and Streett acceptance (the pair {S, F)). A 
Biichi (resp., Rabin, Streett) automaton is an automaton on infinite words with Biichi 
(resp., Rabin, Streett) acceptance condition. Biichi, Rabin, and Streett conditions can 
all be viewed as fairness conditions, which are limit conditions on runs MFra86l . A run 
r is accepting if lim(r) is accepting. An infinite word w is accepted by A if there is an 
accepting run of A over w. The set of infinite words accepted by A, called the language 
of A, is denoted L{A). 
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It is known that Rabin and Streett automata are not more expressive than Biichi 
automata. More precisely, if A is a Rabin or Streett automaton, then there is a Biichi 
automaton such that L{A) = L{A^) ITho9Q| . When A is a Rabin automaton, the 
translation to a Biichi automaton is quadratic, but when 2 I is a Streett automaton, the 
translation is exponential I1SV89II . 

An automaton A is nonempty if L{A) ^ 0. One of the most fundamental algorith- 
mic issues in automata theory is testing whether a given automaton is nonempty. The 
nonemptiness problem for automata is to decide, given an automaton A, whether A is 
nonempty. 

Proposition 1. ICES86I1 The nonemptiness problem for Biichi automata is decidable in 
linear time. 

Proof: Let A = (27, S', So, p, F) be the given automaton. Consider the directed graph 
Ga = (S,Ea), where Ea — {{s,t) 1^ S p{s,a),a C 27}. It can be shown that A 
is nonempty iff Ga has a nontrivial maximal strongly connected component that is 
reachable from So and intersects E nontrivially. As a depth-first-search algorithm can 
construct a decomposition of the graph into strongly connected components in linear 
time ICLR90I , the claim follows. | 

Since there is a quadratic translation of Rabin automata to Biichi automata. Propo- 
sition [I] yields a quadratic algorithm for nonemptiness of Rabin automata. For Streett 
automata, a direct algorithm is needed. 

Proposition 2. lEmeSSlI The nonemptiness problem for Streett automata is decidable 
in polynomial time. 

Proof: Let A = (27, S, So, p, G) be the given automaton. Again we start by decom- 
posing Ga into maximal strongly connected components reachable from Sq. We then 
iterate the following operation 

For a component Q and a pair (L, 17) G C?, if Q n L ^ 0 and Q H 17 = 0, then 
delete the states in L from Ga and recompute the decomposition into maximal 
strongly connected components. 

Since each iteration deletes states from Ga, the above operations can be applied only |S| 
times. L{A) is nonempty iff the final decomposition contains a nontrivial component. | 

As we shall see, closure under Boolean operations plays in important role in the 
application to verification. We first consider closure under intersection. 

Proposition 3. ICJho74l Let Ai, A 2 be Biichi automata. Then there is a Biichi automa- 
ton A such that L{A) = L(Ai) H L(A 2 ). 

Proof: We show the construction explicitly for the case that Ai has a trivial accep- 
tance condition. Let Ai = {E, Si, S^, pi, Si) and A 2 = {E, S 2 , S 2 , P 2 , E 2 ). Let 
A = (E,S,S°,p,E), where S = Si x S 2 , S° = S'? x S?, F = Si x F 2 , and 
(s', f) G p{{s,t),a) if s' G pi(s, a) and t' G p 2 {t, a). | 

We denote the intersection automaton by Ai n A 2 . 

Biichi automata are also closed under complementation. 
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Proposition 4. IBiic621^1a91 llKV97b:| Let A be a Biichi automaton over an alphabet 
E. Then there is a Biichi automaton A‘^ such that L{A‘^) = — L{A). 

If A has n states, then has states, which is known to be tight IIMic88l . 

Unlike automata on hnite words, Biichi automata are not closed under determiniza- 
tion, i.e., nondeterministic Biichi automata are more expressive than deterministic Biichi 
automata irrho9(H . In contrast, Rabin and Streett automata are closed under deter- 
minization. In fact, they are also closed under co-determinization. 

Proposition 5. tMcN66i I Saf89l Let Abe a Biichi automaton. There are deterministic 
Rabin (resp., Streett) automata Ad and A'^'^ such that L{A‘^) = L{A) and L{A‘^‘^) = 
- L{A) 

If A has n states, then Ad and A‘^‘^ have states and 0{n) pairs. 



3 Verification 

We focus here on finite -state systems, i.e., systems in which the variables range over 
finite domains. The significance of this class follows from the fact that a significant 
number of the communication and synchronization protocols studied in the literature 
are in essence finite-state systems IILiu89l[Rud87l . 

A finite-state system over a set Prop of atomic propositions is a structure of the 
form M = {W, wq, R, V), where lU is a finite set of states, u>o G lU is the initial state, 
R C is a total transition relation, and U : VU — > 2^’’°^ assigns truth values to 
propositions in a set Prop for each state in W. The intuition is that W describes all the 
states that the program could be in (where a state includes the content of the memory, 
registers, buffers, location counter, etc.), R describes all the possible transitions between 
states (allowing for nondeterminism), and V relates the states to the propositions (e.g., 
it tells us in what states the proposition request is true). The assumption that R is total 
(i.e., that every state has a child) is for technical convenience. We can view a terminated 
execution as repeating forever its last state. 

Let u be an infinite sequence uq, u\, . . . of states in W such that uq = wg, and 
UiRui+i for all j > 0. Then the sequence V (mq)) V (ui) ... is a computation of M. If 
we take E to be then a computation of M is a word in E‘^ . We denote the set of 

computations of M by L{AI). A specification for M is a language a C E'^. M satisfies 
a if every computation of M is in cr. 

A finite-state system M = {W,wg,R,V) can be viewed as a Biichi automaton 
Am = {E,W,{wg},p,W), where E = and s' e p(s,a) iff (s, s') e R and 

a = U(s). As this automaton has a set of accepting states equal to the whole set of 
states, every infinite run of the automaton is accepting; that is, L{Am) = L{AI). If cr 
is expressed in terms of a specification automaton A^, then M satisfies a iff L{M) C 
L(Act). This is called the language-containment approach to verification lKur94l . Note 
that L{M) C L{A^) iff L(M) n {E‘^ - L{A„)) = 0 iff L{M) n L{A%)) = 0 iff 
L{Am n = 0, where A^ is an automaton that complement A„ and Am H A% is the 
intersection of Am and A%. Thus, verification is ultimately reducible to the emptiness 
problem. Using PropositionslOandE we get: 
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Theorem 6. Checking whether a BUchi automaton A^- with n states is satisfied by a 
finite-state program M can be done in time 0(| |M| | • 

We note that a time upper bound that is polynomial in the size of the program and 
exponential in the size of the specihcation is considered here to be reasonable, since the 
specification is usually rather short 1LFH5I . It is unlikely that the exponential bound can 
be improved, as the problem is PSPACE-complete IIWnl83l . 

4 Temporal Logic and Automata 

Formulas of linear time propositional temporal logic (LPTL) are built from a set Prop 
of atomic propositions and are closed under the application of Boolean connectives, 
the unary temporal connective X (next), and the binary temporal connective U (until) 
[Pnu77llGPSS80l . LPTL is interpreted over computations. A computation is a function 
TT ■. uj ^ which assigns truth values to the elements of Prop at each time instant 

(natural number). For a computation tt and a point iSo;, we have that; 

- 7T,i 1= p for pSProp iff p€7r(i). 

- TT, i 1= ^ A "0 iff TT, i ^ ^ and tt, i |= 

- TT, i 1= iff not 7T, i 1= p 

- TT, i 1= Xp iff 7T, i + 1 1= Lp. 

- 7T, i 1= iff for some j > z, tt, j |= z/i and for all k, z < fc < j tt, fc [= 

We say that tt satisfies a formula ip, denoted n \= ip, iff tt, 0 \= p. We say that a hnite- 
state system M = {W^wq^R^V) satisfies p if n \= p for every computation tt of 
M. 

As we observed computations can also be viewed as infinite words over the alphabet 
2 Prop_ The following theorem establishes the correspondence between LPTL and Biichi 
automata. 



Proposition 7. IVW94I Given an LPTL formula p, one can build a BUchi automaton 
= (E, S, So, p, F), where S = such that L{Ap) is 

exactly the set of computations satisfying the formula p. 

It follows that M h p iff L{M) C L(A^) iff L{M) n (27“ - L{Ap)) = 0 iff 
L{M) n L(Ap) = 0 iff L{Am H Ap = 0. Note that rather than construct hrst A^ and 
then A^, involving a doubly exponential blow-up, we can construct directly A^^, as, 
clearly, L(A^p) = L(A“ ). By Proposition [7J the number of states of A^^, is 
Consequently, the automaton Am H A^^ has \W\ ■ states. Using PropositionQl 

we get: 

Theorem 8. Checking whether a formula p is satisfied by a finite-state program M 
can be done in time 0(||M|| • 2*^(1''’!^), 

It is unlikely that the exponential bound can be improved, as the problem is PSPACE- 
complete iSCSBI . Note that regardless of whether the specification is expressed using a 
Biichi automaton or an LPTL formula, the complexity is linear in the size of the system 
and exponential in the size of the specihation. 
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5 Probabilistic Systems 

We model probabilistic systems by (finite-state) Markov chains. The basic intuition is 
that transition between states is governed by some probability distribution. A Markov 
chain M = {W,P,Pq) consists of a finite state space W; a transition probability func- 
tion P : [0, 1], such that Surriy^wP{u,v) = 1 for all u G W; and an initial 

probability distribution Pq \W ^ [0, 1], such that Surriuew Po{u) = 1. 

As in the standard theory of Markov processes (see (EsSnilESIIl), we define a 
probability space called the sequence space Wm = (f?, p), where 17 = is the 

set of all infinite sequences of states, Z\ is a Borel field generated by the basic cylindric 
sets 

A{wo,Wi, . . .,Wn) = {W G f2\'W=Wo,Wi,...,Wn,.. ■}, 

and ^ is a probability distribution defined by 

p{A{wo,Wi, . . .,Wn)) = 

Po{wo) ■ P{wo,Wi) ■ P{wi,Wn) ■ ... P{Wn-ljWn). 

Consider a language a C viewed as specification, that is measurable wrt the 

sequence space Wm- We say that M almost surely satisfies a if p{a) = 1, that is, if 
“almost” all computations of M are in a. 

Suppose that a is expressed in terms of a deterministic automaton A = (W, S, sq, p, 
G). It can be shown that in this case tr is measurable IVarSSI . We define the product 
chain M x A = {W x S,P' ,P(f), where Pq{{w,sq)) = Pq{w) and Po((u>, s)) = 0 
if s ^ soj and P'{{u, s), (u, t)) = P{u, v) if t = p{s, u) and P'{{u, s), {v,t)) = 0 
if f 7 ^ p(s, u). If G is the acceptance condition [(Ti, Ui ), . . . , (L^, Uk)] (Rabin or 
Streett), then take IC x G to be \{W x Li,W x Ui ), . . . , {W x Lk, W x Uk)]- Let 
sat{W X G) be the set of sequences that satisfy the acceptance condition IL x G, i.e., 
whose limit is accepting. 

Lemma 9. pm{L{A)) > 0 iff pMxA(sat{W x G) > 0 

Lemma^enables us to focus on the behavior of the Markov chain in the limit. Let 
M = (W, P, Pq) be a Markov chain and let a C 2^ x 2^ be a Streett acceptance 
condition. Consider the graph Gm = (IL, Wq, Em), where Wq = {w \ Po{w) > 0} 
and Em = { {u, v) \ P{u, u) > 0}. An ergodic set in Gm is a terminal maximal strongly 
connected component that is reachable from Wq. Such a set is closed with respect to all 
positive transitions of M. 

Lemma 10 . pM{sat{a)) > 0 iff some ergodic set of Gm is accepting wrt a. 

Note that in this analysis the exact transition probabilities are irrelevant. All that counts 
is whether a transition probability is 0 or not. 

Ergodic analysis can be also viewed from an automata-theoretic perspective. De- 
fine the Streett automaton Am = {{a},W, Wq, pp,a U /3), where {a} is a singleton 
alphabet, pp{u, a) = {u | P{u, v) > 0}, and j3 = {({u}, {r)}) | P{u, v) > 0}. 

Lemma 11 . pM{sat{a)) > 0 iffL(AM) 0- 
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The intuition behind the lemma is that probabilistic behavior is essentially a “fair” be- 
havior. 

We can now consider the algorithmic aspect of verifying probabilistic systems. Sup- 
pose that we are given a Markov chain M and a nondeterministic automaton Act- We 
want to check whether M almost surely satisfies a. We construct the co-deterministic 
Streett automaton A'^, per PropositionEl We know that M almost surely satisfies 
iff ^,m{L{A'^)) = 0. Thus, we can form the product chain M x A'^‘^ and then apply 
Lemma 

Theorem 12. Checking whether a Biichi automaton A^- with n states is almost surely 
satisfied by a Markov chain M can be done in time polynomial in | |M| | and exponential 
in I li- 
lt is unlikely that the exponential bound can be improved, as the problem is PSPACE- 
complete C VarSS!! - 

Suppose now that we have an assignment V : W ^ 2^^°p and the specification 
is given by an LPTL formula over Prop. Let L{ip) consists of all sequences w G 
17 such that l/(w) satisfies p. It can be shown that L{p) is measurable IIVar85ll . We 
want to verify that M almost surely satisfies p, i.e., M almost surely satisfies L{p). 
We can apply Proposition [7| and construct A^ and then proceed with the algorithm 
of Theorem El The resulting algorithm is polynomial in the size of M, but is doubly 
exponential in the size of p. Courcoubetis and Yannakakis iCV95j showed how almost- 
sure satisfaction of LPTL formulas over Markov chains can be checked in time that is 
exponential in the size of the specification. The algorithm does not use the translation 
of LPTL formulas to Biichi automata. We will return to this point in the concluding 
discussion. 

6 Reactive Probabilistic Programs 

So far we viewed systems as Markov chains. This model assumes that all the transitions 
of a system are probabilistic. This is adequate for closed systems, whose transitions are 
internally driven. In reactive systems, which interact with their external environments 
[HP851 . some transitions are inherently nondeterministic. 

A (finite-state) reactive Markov chain M = {W^ N , P, Pq) is a. Markov chain 
(W,P, Pq) with a set TV C IL of nondeterministic states (the states in W — N are 
the probabilistic states). The idea is that W — N is the set of states where a proba- 
bilistic transition has to be made and N is the set of states where a nondeterministic 
transition has to be made. If uGN, then we interpret P{u, v) to mean that there is a 
possible transition from u to u if and only if P{u, v) > 0. 

This model, originally named concurrent Markov chain, was proposed in IIVar85l . 
based on earlier ideas in |HSP83| . It turns out, however, that is simply another guise of 
Markov decision processes IIDer70l . 

To define the sequence space of a reactive Markov chain it is convenient to imagine 
a scheduler, which makes all the nondeterministic choices. A scheduler for a reactive 
Markov chain M = {W, N, P, Pq) is a function r : W*N W, i.e., a function that 



272 



Moshe Y. Vardi 



assigns a state to each sequence of states that end with a nondeterministic state, such 
that t{wq, . . . , Wn) = w only if P{wn, w) > 0. 

Let M = (W, N, P, Po)hea reactive Markov chain. A scheduler t for M gives rise 
to an infinite Markov chain M'^ = (1L+, Pq), where 

- Pg (w) = Po{w) for all wGW and P'^{x) = 0 for all xGW~^ — W, 

- P~^ : VL+ X VL+ ^ [0,1] is defined as follows (where x and y are arbitrary 

members of 1L+): 

• P^{xu, xuv) = P{u, v) if uGW — N, 

• P'^(xu, xuv) = 1, if u€JV and t{xu) = v, and 

• P'^{x,y) = 0, otherwise. 

Intuitively, M’’ describes the behavior of the system under the scheduler t. 

Consider a specification a C We need to “lift” a to the level of M’’. To 

that end, we define a mapping V : W~^ ^ 1C by V{uiU 2 ■ ■ ■ u„) = Now take 
L{a) C as the set of sequences u G (lC+)‘^ such that V (u) G a. We now say 

that M almost surely satisfy cr if y,M^{L{a)) = 1 for all schedulers r. The intution is 
that cr almost surely holds regardless of the environment decisions. Dually, we can ask 
whether the exists a scheduler t such that (L(1C“ — cr)) >0. 

Suppose that a is given in terms of a deterministic Streett automaton A with accep- 
tance condition G. Then, as in Lemma0 almost sure satisfaction of A can be reduced 
to checking a limit property. 

Lemma 13. There exists a scheduler r such that y,M^{L{A)) > 0 iff there exists a 
scheduler T such that Ay {sat{W x G) > 0 

As we did with Markov chains, we use ergodic analysis to check limit properties. 
Let M — (W, N, P, Pq) be a reactive Markov chain and let a C 2^ x 2^ be a 
Streett acceptance condition. Consider the graph Gm = Wq, Em), where Wq = 
{w I Pq{w) > 0} and Em = {{u, v) \ P{u, v) > 0}. An ergodic set in Gm is a strongly 
connected component of Gm that is reachable from Wq and is closed under the positive 
probabilistic transitions of M, i.e., under Pm H ((11^ — N) x W). 

Lemma 14. There exists a scheduler t such that yLM^{sat(a)) > 0 iff some ergodic 
set of Gm A accepting wrt a. 

Again, the ergodic analysis can be also viewed from an automata-theoretic per- 
spective. Define fhe Sfreetf automaton Am = pp,a U /3), where {a} 

is a singleton alphabet, pp{u,a) = {v\P{u,v) > 0}, and [3 = {({u},{u}) \u G 
W - N and P{u,v) > 0}. 

Lemma 15. There exists a scheduler t such that pM^ (sat(a)) > 0 iff L{Am) 0- 

To check that a reactive Markov chain almost surely satisfies a Biichi automaton A„ 
or an LPTP formula p we proceed as we did with Markov chains. We first construct a 
deterministic Streett automaton for the complementary specification. The cost is expo- 
nential for Biichi automata and doubly exponential for LPTL formuas. We then take the 
product with the chain and perform ergodic analysis. The resulting complexity is poly- 
nomial in the size of the chain, exponential in the size of A„ and doubly exponential 



Probabilistic Linear-Time Model Checking 



273 



in the size of A 2EXPTIME lower bound in ltCY95fl shows that the latter bound is 
asymptotically optimal. 

We note that the automata-theoretic framework lends itself easily to the incorpora- 
tion of fairness. The intuition underlying fairness is that we want to restruct attention to 
only “well-behaved” schedulers MBK971 . For example, we may want to assume that if 
a transition is enabled infinitely often then it is taken infinitely often. Streett conditions 
enable us to express rather general fairness properties IFraKhll . We say that a sched- 
uler T is fair wrt a fairness condition G if {sat{G)) = 1. We can now modify the 
definition of almost-sure satisfaction by quantifying universally only over fair sched- 
ulers. It turns out that the algorithmic modification required to handle fairness is rather 
straightforward; all we have to do is to add the Streett condition describing the fairness 
condition to the Streett condition used in l.emmasPMlandlT^ 



7 Concluding Remarks 

Over the last 15 years, the automata-theoretic approach to verihcation has proven itself 
to be a rather powerful paradigm. Essentially, almost all decision problems related to 
specification and verihcation of hnite-state systems can be expressed and solved using 
automata-theoretic tools. See i*VWH61 IE.I911 IVW941 IBVW941 (CY9HIKV973 for nu- 
merous examples. The result in Section^is a rare exception. As we saw there, using the 
automata-theoretic approach we obtained an algorithm for checking almost-sure satis- 
faction of LPTL formulas over Markov chains whose complexity is doubly exponential 
in the size of the input formula. A non-automata-theoretic algorithm, whose complexity 
is exponentially lower (i.e., a single exponential) is described in IICV95I . Can the im- 
proved algorithm be given an automata-theoretic account? We believe that the answer 
is positive and suspect that such account can be given in terms of “weak alternating 
automata” IIVarPhtfKvP/bl . 
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Abstract. A real-time system for power-down control in audio/video compo- 
nents is modeled and verified using the real-time model checker UPPAAL. The 
system is supposed to reside in an audio/video component and control (read from 
and write to) links to neighbor audio/video components such as TV, VCR and 
remote-control. In particular, the system is responsible for the powering up and 
down of the component in between the arrival of data, and in order to do so in a 
safe way without loss of data, it is essential that no link interrupts are lost. Hence, 
a component system is a multitasking system with hard real-time requirements, 
and we present techniques for modeling time consumption in such a multitasked, 
prioritized system. The work has been carried out in a collaboration between Aal- 
borg University and the audio/video company B&O. By modeling the system, 3 
design errors were identified and corrected, and the following verification con- 
firmed the validity of the design but also revealed the necessity for an upper limit 
of the interrupt frequency. The resulting design has been implemented and it is 
going to be incorporated as part of a new product line. 



1 Introduction 



Since the basic results by Alur, Courcoubetis and Dill H3I4II on decidability of model 
checking for real-time systems with dense time, a number of tools for automatic veri- 
fication of hybrid and real-time systems have emerged liTFTTO . These tools have by 
now reached a state, where they are mature enough for application on industrial devel- 
opment of real-time systems as we hope to demonstrate in this paper. 

One such tool is the real-time verification tool UppaaiQ [0 developed jointly by 
BRIC^at Aalborg University and Department of Computing Systems at Uppsala Uni- 
versity. The tool provides support for automatic verification of safety and bounded 
liveness properties of real-time systems and contains a number of additional features 
including graphical interfaces for designing and simulating system models. The tool 
has been applied successfully to a number of case-studies 111 311 81510116191 which can 
roughly be divided in two classes: real-time controllers and real-time communication 
protocols. 



* See URL: http://www.docs.uu.se/docs/rtmv/uppaal for information about UPPAAL. 

^ BRIGS - Basic Research in Computer Science - is a basic research centre funded by the Danish 
government at Aarhus and Aalborg University. 
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Industrial developers of embedded systems have been following the above work 
with great interest, because the real-time aspects of concurrent systems can be ex- 
tremely difficult to analyze during the design and implementation phase. One such 
company is Bang & Olufsen (B&O) - having development and production of fully 
integrated home audio/video systems as a main activity. 

The work presented in this paper documents a collaboration between AAU (Aal- 
borg University) - under the BRIGS project - and B&O on the development of one 
of the company’s new designs: a system for audio/video power control. The system is 
supposed to reside in an audio/video component and control (read from and write to) 
links to neighbor audio/video components such as TV, VCR and remote-control. In 
particular, the system is responsible for the powering up and down of the component in 
between the arrival of data, and in order to do so, it is essential that no link interrupts 
are lost. The work is a continuation of an earlier successful collaboration HU between 
the same two organizations, where an existing audio/video protocol for detecting colli- 
sions on a link between audio/video components was analyzed and found to contain a 
timing error causing occasional data loss. The interesting point was, that the error was 
a decade old, like the protocol, and that it was known to exist - but normal testing had 
never been sufficient in tracking down the reason for the error. 

The collaboration between B&O and AAU spanned 3 weeks (4 including report 
writing), and was very intense the first week, where a representative from B&O vis- 
ited AAU, and a first sketch of the model was produced. During the next two weeks, 
the model was refined, and 15 properties formulated by B&O in natural language were 
formalized and then verified using the Uppaal model checker. During a meeting, revi- 
sions to the model and properties were suggested, and a final effort was spent on model 
revision, re- verification and rmort writing. The present paper is an intensive elaboration 
of the preliminary report 111 2IH . 

The paper is structured as follows. Section|2| contains an informal description of the 
B&O protocol, and in section we present the UPPAAL modeling language and tool. 
In section 0] we present our techniques for modeling timed transitions and interrupts in 
the Uppaal language. Section 0 presents the formal modeling of this protocol in the 
Uppaal language, while section 0 presents the verification results. Finally section 0 
provides an evaluation of the project and points out future work. 



2 Informal Description of the Power Down Protocol 

In this section, we provide an informal description of the designed protocol for power 
down control in an audio/video component. As advocated in iini, we divide the de- 
scription into environment, syntax, and protocol rules. 

2.1 Protocol Environment 

A typical B&O configuration consists of a number of components, which are intercon- 
nected by different kinds of links carrying audio/video data and (or) control informa- 
tion. Each component is equipped with two processors controlling audio/video devices 



^ A full version of the paper is available at 
http://ic-www.arc.nasa.gov/ic/projects/amphion/people/havelund. 
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and links, and among other tasks, the processors must minimize the energy consump- 
tion when the component goes stand by. Each processor may be in one of two modes: 
(1) active, where it is operational and can handle its devices and links, (2) stand by, 
where it is unable to do anything except wake up and enter active mode. One of the 
processors acts as a master in the sense that it may order the other processor (the slave) 
to enter stand by mode (and thereby reduce energy consumption). Due to physical law^ 
a processor cannot leave stand by mode via one atomic action, and the purpose of the 
protocol is to ensure that stand by operation is handled in a consistent way, i.e. when 
one of the processors enters or leaves stand by mode, this is also recognized by the other 
processor. Furthermore, whenever a processor senses valid data on an external link, it 
must leave stand by operation. Also, the real-time duration for switching between the 
modes may not exceed a given upper limit in order not to lose messages. 

FigureQ] illustrates the processor interconnection and our model of the software ar- 
chitecture for one of the processors. Each processor communicates with devices and 
other components via external link^, and the two processors are interconnected via an 
internal link. The software architecture will be almost identical for the two processors, 
and in this report we concentrate on the IOP3212 processor - the slave processor. The 
main software module is the lOP process which communicates with the AP processor, 
the external link drivers, and the interrupt handlers according to the protocol rules de- 
scribed below. The protocol forms the crucial part of the software design, because it 
must assure that no data and interrupts are lost (in order to leave stand by operation at 
due time). 

2.2 Protocol Syntax 

The power down protocol entity (the lOP process) communicates with its environ- 
ment (AP processor, link drivers and interrupt handlers) via the protocol commands 
in the set: {ap_down, ap .active, ap_down.ack, ap_downjiack, data, no_data, interrupt, 
no Jnterrupt}. The apjlown command is sent from the AP processor and commands 
the lOP processor to enter stand by operation. The data command is sent from a link 
driver and indicates that meaningful input has been detected on the link, whereas the 
nojlata command indicates that there is no input from the link. Likewise, the inter- 
rupt (noJnterrupt) command is sent from from the link interrupt handler and indi- 
cates that an interrupt (or no interrupt) has been received at the link interrupt interface. 
The commands apMctive, apjdownjick, apjlown jiack informs the AP3002 processor 
about state changes of the protocol, that is, apjictive is sent when the IOP3212 proces- 
sor becomes active, apjlown jick is sent when it accepts to enter stand by mode, and 
apjlown jiack is sent when stand by cannot be entered. 

2.3 Protocol Rules 

In order to give an intuitive explanation of the protocol, we describe below in an infor- 
mal way the major protocol rules, which must be obeyed by the lOP protocol entity. We 

It takes e.g. approx. 1 ms to make the processor operational when it has been in stand by 

operation. 

^ The figure illustrates a configuration with one external link, the LSL link. 
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Fig. 1. Software architecture of the power down protocol. The protocol entity process 
(lOP) receives protocol commands (left arrows) from the drivers and interrupt handlers 
by issuing check commands (right arrows). 



leave out the details on communication with interrupt handlers and drivers, which will 
be described in the formalization section. In order to structure the description, we dehne 
the following major phases (see FigureQ below) for the entity: the active phase, where 
the lOP is in normal (active) operation, the check driver phase, where the lOP process 
is waiting for a driver status (no data/data) in order to decide whether or not to leave 
the active phase, the stand J?y phase, where the lOP processor is out of operation, and 
the check interrupts phase, where the lOP processor is waiting for an interrupt handler 
status (no interrupt/interrupt) in order to decide whether or not to enter the stand by 
phase. We use ?/! to indicate protocol input/output in the usual way. 

Active rule In the active phase, the lOP protocol entity must enter the check driver 
phase, whenever a apjiown command is received from the AP processor. 

Check driver rule In the check driver phase, the lOP protocol entity commands the 
drivers to check whether or not meaningful data are received from the links. The 
outcome of the check dehnes the succeeding phase according to Figure Q 
Stand Jby rule Whenever an interrupt is received in the stand by phase, the lOP protocol 
entity must enter the check driver phase. 

Check interrupts rule In the check interrupts phase, the protocol entity commands the 
interrupt handlers to check for pending interrupts. If no interrupts are pending, the 
stand by phase can safely be entered. Otherwise, the check driver phase is entered. 

The above rules have to be implemented in such a way, that (1) Whenever an in- 
terrupt is received and meaningful data is present on the given link, the active phase 
must be entered, and (2) Whenever a down signal is received from the AP processor 
and no interrupts and valid data are present, the stand by phase must be entered. The 
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Fig. 2. Major protocol phases. The dotted lines indicate transitions leading towards 
power down. The full lines are leading towards power up. The two neighboring ’check 
driver’ phases are necessary in order to be able to ignore noise from the communication 
lines. 

delay caused by software of these transitions may not exceed 1500/rs since otherwise 
data may be lost. 

The informal rules form the basis for the model design, and in the analysis section, 
we present a complete list of protocol requirements in terms of properties of the formal 
protocol model. 

3 The Uppaal Model and Tool 

Uppaal is a tool box for symbolic simulation and automatic verification of real-timed 
systems modeled as networks of timed automata [3j] extended with global shared in- 
teger variables. More precisely, a model consists of a collection of non-deterministic 
processes with finite control structure and real-valued clocks communicating through 
channels and shared integer variables. The tool box is developed in collaboration be- 
tween BRICS at Aalborg University and Department of Computing Systems at Uppsala 
University, and has been applied to several case-studies linilRISIhllfilQI . 

The current version of UPPAAL is implemented in C-H-, XFORMS and MOTIF and 
includes the following main features; 

- A graphical interface based on Autograph |8)] allowing graphical descriptions of 
systems. 

- A compiler transforming graphical descriptions into a textual programming format. 

- A simulator, which provides a graphical visualization and recording of the possi- 
ble dynamic behaviors of a system description. This allows for inexpensive fault 
detection in the early modeling stages. 

- A model checker for automatic verification of safety and bounded-liveness proper- 
ties by on-the-fly reachability analysis. 
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- Generation of (shortest) diagnostic traces in case verification of a particular real- 
time system fails. The diagnostic traces may be graphically visualized using the 
simulator. 

A system description (or model) in Uppaal consists of a collection of automata 
modeling the finite control structures of the system. In addition the model uses a finite 
set of (global) real-valued clocks and integer variables. 

Consider the model of Figure 0 The model consists of two components A and B 
with control nodes {AO, Al, A2, A3} and {BO, Bl, B2, B3| respectively. In addition 
to these discrete control structures, the model uses two clocks x and y, one integer 
variable n and a channel a for communication. 



A 

y ;= 0 








o 

AO 

(y <= 6) 


Al 


A2 


A3 




B 

X >= 2 
X := 0 








BO 

(x<=4) 


c:Bl 


B2 


B3 



Fig. 3. An example UPPAAL model 



The edges of the automata are decorated with three types of labels: a guard, ex- 
pressing a condition on the values of clocks and integer variables that must be satisfied 
in order for the edge to be taken; a synchronization action which is performed when 
the edge is taken forcing as in CCS HI synchronization with another component on 
a complementary actioifl and finally a number of clock resets and assignments to in- 
teger variables. All three types of labels are optional: absence of a guard is interpreted 
as the condition true, and absence of a synchronization action indicates an internal 
(non-synchronizing) edge similar to r-transitions in CCS. Reconsider Figure 0 Here 
the edge between AO and Al can only be taken, when the value of the clock y is greater 
than or equal to 3. When the edge is taken the action a ! is performed thus insisting on 
synchronization with B on the complementary action a?; that is for A to take the edge 
in question, B must simultaneously be able to take the edge from BO to Bl. Finally, 
when taking the edge, the clock y is reset to 0. 

In addition, control nodes may be decorated with so-called invariants, which ex- 
press constraints on the clock values in order for control to remain in a particular node. 
Thus, in Figure Q control can only remain in AO as long as the value of y is no more 
than 6. 

® Given a channel name a, a ! and a? denote complementary actions corresponding to sending 
respectively receiving on the channel a. 
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Formally, states of a Uppaal model are of the form (!,v), where I is a control 
vector indicating the current control node for each component of the network and r; is an 
assignment given the current value for each clock and integer variable. The initial state 
of a Uppaal model consists of the initial node of all component^ and an assignment 
giving the value 0 for all clocks and integer variables. A Uppaal model determines the 
following two types of transitions between states; 

Delay transitions As long as none of the invariants of the control nodes in the current 
state are violated, time may progress without affecting the control node vector and 
with all clock values incremented with the elapsed duration of time. In Figure 0 
from the initial state ((A0,B0),x = 0,y = 0,n = 0) time may elapse 3.5 time 
units leading to the state ((A0,B0),x = 3.5, y = 3.5, n = 0). However, time 
cannot elapse 5 time units as this would violate the invariant of BO. 

Action transitions If two complementary labeled edges of two different components 
are enabled in a state then they can synchronize. Thus in state ((A0,B0),x = 
3.5, y = 3.5, n = 0) the two components can synchronize on a leading to the 
new state ((Al,Bl),x = 0,y = 0,n = 5) (note that x, y, and n have been ap- 
propriately updated). If a component has an internal edge enabled, the edge can be 
taken without any synchronization. Thus in state ((Al, Bl), x = 0, y = 0, n = 5), 
the B-component can perform without synchronizing with A, leading to the state 
((Al,B2),x = 0,y = 0,n = 6). 

Finally, in order to enable modeling of atomicity of transition-sequences of a par- 
ticular component (i.e. without time-delay and interleaving of other components) nodes 
may be marked as committed (indicated by a c-prelix). If in a state one of the compo- 
nents is in a control node labeled as being committed, no delay is allowed to occur and 
any action transition (synchronizing or not) must involve the particular component (the 
component is so-to-speak committed to continue). In the state ((Al, Bl), x = 0, y = 
0,n = 5) Bl is committed; thus without any delay the next transition must involve 
the B-component. Hence the two first transitions of B are guaranteed to be performed 
atomically. Besides ensuring atomicity, the notion of committed nodes also helps in sig- 
nificantly reducing the space-consumption during verification. Channels can in addition 
be defined as urgent: when two components can synchronize on an urgent channel no 
further delay is allowed before communication takes place. 

In this section and indeed in the modeling of the audio/video protocol presented in 
the following sections, the values of all clocks are assumed to increase with identical 
speed (perfect clocks). However, UPPAAL also supports analysis of timed automata with 
varying and drifting time-speed of clocks. This feature was crucial in the modeling and 
analysis of the Philips Audio-Control protocol lEI using Uppaal. 

Uppaal is able to check for reachability properties, in particular whether a certain 
combination of control-nodes and constraints on clock and data variables is reachable 
from an initial configuration. The properties that can be analyzed are of two forms: 
“A [] p” and “Eop”, where p is a formula over clock variables, data variables, and 
control-node positions. Intuitively for “A [ ] p” to be satisfied, all reachable states must 
satisfy p. Dually, for “Eop” to be satisfied, some reachable state must satisfy p. 

’ indicated graphically by a double circled node. 
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4 Timed Transitions and Interrupts 

In this section, we shall introduce techniques for dealing with a couple of concepts that 
appear in the protocol, and which are not supported directly by the Uppaal notation. 
These concepts are on the one hand time slicing in combination with time consuming 
transitions, and on the other hand prioritized interrupts. We refer to time slicing as the 
activity of delegating and scheduling execution rights to processes that all run on the 
same single processor. Transitions normally don’t take time in UPPAAL, but this occurs 
in the protocol. Interrupts is a well known concept. 

First, we give a small example illustrating what we need. Then we suggest the tech- 
niques that we shall apply in the modeling of the protocol. 

4.1 The Problem 

Assume a system with two processes A and B running on a single processor. Assume 
further, that these processes can be interrupted by an interrupt handler. The situation is 
illustrated in Figure 01 which is not expressed in the UPPAAL language, but rather in 
some informal extension of the language. 





Interrupt 




T 

i 

■( 

= 6 



Fig. 4. What we want to express 



Each edge modifies a variable (A modihes x and y, B modihes v and w, and the 
interrupt handler modihes i and j ). These assignments only serve to identify the edges 
and have no real importance for the example. Each edge is furthermore labeled with a 
time slot within parenthesis ( 2 , 5,7 - 12 ), indicating the amount of time units the edge 
takes. The slot 7-12 means anywhere between 7 and 12 time units. 

Suppose the interrupt handler does not interrupt. Then the semantics should be the 
following: A and B execute in an interleaved manner modeling the time slicing of the 
processor - each transition taking the amount of time it is labeled with. No unnecessary 
time is spent in intermediate nodes (except waiting for the other process to execute). At 
the end, as soon as both A and B are in the node c, at least 19 (2 + 5 + 5 + 7) and at 
most 24 (2 + 5 + 5 + 12) time units will have passed. 

An interrupt can occur at any moment and executes “to the end” when occurring. 
That is, it goes from node a to c without neither A nor B being allowed to execute in the 
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meantime. If we assume that the interrupt handler can also interrupt, then it will change 
the above numbers to 26 (19 + 2 + 5) and 31 (24 +2 + 5). 

Or goal is now to formulate this in the Uppaal language. Consider an approach where 
nodes are annotated with time constraints on local clocks, expressing the time consumed 
by the previous edge. This solution does not work since the two automata may consume 
time “together”, and does not reflect the desired behavior, since they are supposed to 
run on a single processor. Let us first model time consuming transitions, ignoring the 
interrupts for a moment. 

4.2 Modeling Timed Transitions 

In a single processor setting it is natural to hand over time control to a single “operating 
system” process. Figure^fllustrates such a process, called Timer, using a local clock k. 




Fig. 5. The Timer 



It has a start node, named go, in which time is constrained to not progress at all. This 
means that in order for time to progress, one of the edges t2?, t5? ort7_12? must 
be taken. These edges then lead to nodes where time can progress the corresponding 
number of time units, where after control returns immediately (back is a committed 
node just used to collect the edges) to the go node. 

Now let us turn to the processes A and B, which are shown in Figure 0 These 
now communicate with the Timer, asking for time slots. Every time unit T that in the 
informal model. Figure El was in brackets (T) is now expressed as tT ! . When for 
example A takes the edge from node a to node b, the Timer goes into the node w2, and 
stays there for 2 time units while A stays in node b. Hence, the time consumed by an 
edge is really consumed in the node it leads to. We have, however, guaranteed that B 
for example, cannot go to the node b and consume time “in parallel” since that would 
require a communication with Timer, and this is not ready for that before it returns to 
the node go. 

When A reaches the node c, it has not yet consumed 7 time units (2 + 5), it has only 
consumed 2. The 5 will be consumed while in node c. In order to reach a state where 
we for sure know that all the time has been consumed, we add an extra d node, which 
is reached by communicating finish! to the Timer. This forces the Timer to “finish” 
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b c d 




Fig. 6. A and B communicating with the Timer 



the last time consumption. Now we can express and verify the following true property, 
where gc is a global clock variable that is never reset: 

A[] (A.d and B.d) imply ((19 <= gc) and (gc <= 24)) 

That is, if both A and B reach node d, then they will do so within 19—24 time units. Note 
that due to the design of the Timer, time cannot progress further when that happens (the 
Timer will be in the go node where time cannot progress). Of course one can design a 
Timer that allows time to progress freely when asked to, and that is in fact what happens 
in the protocol. Basically one introduces an idle node in the Timer, that can be entered 
upon request, and where time can progress without constraints. 

It is possible to model such single processor time scheduling in model checkers 
lacking real-time features, such as for example Spin O- However, when trying to 
formulate and verify properties where time ticks are summed up, such explicit modeling 
easily leads to state space explosion. 

4.3 Modeling Interrupts 

Now we incorporate the interrupt handler. The basic idea is to give a priority to each 
process, and then maintain a variable, which at any moment contains the priority cur- 
rently active. Processes with a priority lower than the current cannot execute. When an 
interrupt occurs, the current priority is set to a value higher than those of the processes 
interrupted. 

Processes A and B can for example have priority 0 while the interrupt handler gets 
priority 1. When the interrupt occurs, the current priority is then set to 1, preventing 
priority 0 processes from running. We introduce the variable cur for this purpose, see 
Figure0 The Timer stays unchanged. 

Note how the variable cur occurs in guards of A and B, and how it is assigned to 
by the interrupt handler. In this model, we can verify the following property to be true: 

A[] (A.d and B.d and Interrupt. d) imply 
(26 <= gc and gc <= 31) 
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Fig. 7. Dealing with interrupts 



5 Formalization in Uppaal 

In this section, we shall formalize the system in UPPAAL. We start with an overview 
of the components and their interaction via channels and shared variables. Then we 
describe the lOP in detail. 

5.1 Component Overview 

The system consists of 7 automata, as illustrated in Figure The Timer controls the 
time slicing between the components using the technique described in section 1^21 In 
addition, there is an environment which generates interrupts corresponding to data ar- 
riving on the links; hence this environment is referred to as the Interrupt Generator. 

The components communicate via channel synchronization and via shared vari- 
ables. The figure illustrates the channel connections by fully drawn arcs, each going 
from one component (the one that does a send “ ! ”) to another (the one that does a re- 
ceive “?”). Also, all shared variables are plotted into the figure, in italics, with dotted 
lines indicating their role as message carriers, from the process that typically writes 
to the variable to the process that typically reads the variable. This notation is infor- 
mal, but it should give an overview of the shared variables and the role they play in 
communication. Channels and variables are described below. 

5.2 The Channels 

The AP signals the lOP to go down by issuing an ap_down ! (which the lOP then con- 
sumes by performing a dual ap_down?). The channels ap_down_ack and 
ap_down_nack correspond to the lOP’s response to such an ap_down signal from 
the AP. They represent the acknowledgment (ack) respectively the negative acknowl- 
edgment (nack) that the closing down has succeeded respectively not succeeded. The 
ap_active channel is used by the lOP to request the AP to become active. 

The channels reset, wait, wait_int, i_reset, i_wait are all used to op- 
erate the timer. Basically, the reset and i_reset channels are used to activate the 
timer, to start delivering time slots, while the wait, wait_int and i_wait channels 
are used to dis-activate the timer, to stop delivering time slots. Different channels for re- 
setting (reset and i_reset) respectively waiting (wait, wait_int and i_wait) 
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Fig. 8. The components 



are needed due to different interpretations of these commands in different contexts. 
Whenever activated, the timer then delivers time slots to the lOP, the LSL (Low Speed 
Link) driver, and the interrupt handlers when these issue signals on the ti channels. 

5.3 The Shared Variables 

The interrupt generator generates interrupts corresponding to data arriving on the links. 
Such an interrupt is generated by setting the variable generated_lsl_interrupt 
to 1 (true). The LSL interrupt handler then reacts on this by interrupting the lOP 
or the driver, whichever is running. A result of such an interrupt is that the variable 
lsl_interrupt is set to 1. The lOP reads the value of this variable, and hence is 
triggered to deal with new data if it equals 1. In order for the interrupt generator to gen- 
erate interrupts at all, the variable enabled_lsl_interrupt must be 1. Concerning 
the AP, there is a generated_ap_interrupt and an ap_interrupt, but there is 
no enabled_ap_interrupt. The AP itself plays the role as AP interrupt generator, 
and hence sets the generated_ap_interrupt to 1, while the AP interrupt handler 
reacts to this by setting the ap_interrupt to 1. The variable some_interrupt is 
1 whenever either ap_interrupt or lsl_interrupt is 1. 

The variable cur is used to secure that an interrupt handler gets higher priority than 
the process it interrupts. Note that in this sense, the lOP and the driver have the lowest 
priority (0), while the LSL interrupt handler has one higher (1), and the AP interrupt 
handler has the highest (2). Hence, whenever the value of cur is 0, the lOP and the LSL 
driver are allowed to execute. When the LSL interrupt handler starts executing, it sets 
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the value to 1, whereby the lOP and driver are no longer allowed to execute. The AP 
interrupt handler can further interrupt all the previous processes, assigning 2 to cur, 
whereby all other processes with lower priority are denied to execute. 

We said that the AP interrupt handler can interrupt the LSL interrupt handler. This 
is a truth with modifications. In fact, it is not allowed to interrupt during the initializa- 
tion phase of the LSL interrupt handler. This is modeled by introducing a semaphore 
lsl_interrupt_ex. It is used to exclude the AP interrupt handler from interrupting 
the LSL interrupt handler during the latter’s first activities. 

The lOP sends messages to the LSL driver by assigning values to the variable 
lsl_command with the following meanings: 1 = Initialize the driver, 2 = Close down 
the driver, and 3 = Activate the driver. After initialization of the driver, the lOP can 
read the results of the driver’s activity (whether it is still running and whether there 
are data or not) in the variables lsl_running and lsl_data. Since the model is a 
reduction from a bigger model also involving the AP driver, we had early in the design 
a need for maintaining a variable some_running, being true if either ap_running 
or lsl_running was true, and likewise we needed a variable some_data, being 
true if either lsl_data or other similar variables were true. These two variables have 
survived after we have reduced the model. 

The three variables sw.standJoy, sleeping and sleep_op are central to the 
closing down procedure, and the interaction between the lOP and the interrupt han- 
dlers. Figure 0 illustrates the relevant pieces of code in the lOP (when approaching 
stand by mode), respectively the Interrupt handlers. To start with the lOP, the variable 
sleep_op is a kind of “emergency break” which can be “pulled” by the interrupt han- 
dler. The lOP assigns true to this variable, and it has to be true before going to sleep. 
The interrupt handler can change the value of sleep jop “in last micro second”. Next, 
the lOP assigns true to the variable sw_standJDy when approaching the standJoy 
node. Hence this variable is true in a certain critical time zone just before closing 
dowr0 When the lOP finally goes down (enters the stand Joy mode), the variable 
sleeping becomes true. 

The value of sw_s hand Joy is used by the interrupt handlers when activated to 
see whether the lOP is in its critical closing down zone. If so, they assign the value 
false to the variable sleep_op, and this will then prevent the lOP from going to 
sleep. The interrupt handlers also “wake up” (sleeping : = 0) the lOP in case it is 
sleeping (sleeping == 1). The sleeping variable is used by the interrupt handler 
to direct the amount of time used to restart the lOP. If sleeping == 1 it takes 900 
micro seconds, otherwise it is instantaneous. We shall see the lOP algorithm formulated 
in Uppaal below. 

5.4 The lOP 

The lOP, Figure [ni is obtained by refining (in an informal sense) the abstract model 
presented in Figure El The model is refined using state refinement as well as action 
refinement. By state refinement we mean that certain states (the ovals) are expanded out 
to sub-transition systems with new states connected with new (labeled) arcs. We have 



In the C-implementation, the variable sw_stand_by is a register informing the processor 
hardware about the approaching close down. 
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lOP: 

sleep_op := 1/ 
sw_stand_by : = 1 ; 

If sleep_op - - 1 Then 
sleeping := 1; 

' ' stand by ' ' 

End; 

' 'after interrupt' ' : 
sw_stand_by : = 0 
' 'go up' ' 



Interrupt Handler: 

If sleeping - - 1 Then 
' ' spend 900 ms' ' 
sleeping := 0 
End; 

If sw_stand_by - - 1 Then 
sleep_op := 0/ 
sw_stand_by : - 0 
End; 



Fig. 9. The variables sw.standJoy, sleeping and sleep_op 



enclosed these new sub-systems in boxes on Figure ^3 such that they can be easier 
related to Figure Q Note, however, that this is not formal Uppaal notation. By action 
refinement we mean that also arcs are expanded out to such sub-transition systems. 
Concerning state refinement, we have expanded each “check driver" state into a couple 
of states: driver_call - representing the point where a driver has been called - and 
driver_return - representing the point where the driver returns. The state “check 
interrupts ” has been expanded out to a small transition system consisting of the four 
states: insert_noop, set_standJDy, check.interrupts and check_noop. 

The lOP starts being active, in the node active. In this node it does not need time 
slots, hence the timer is supposed to be inactive. Note that although the lOP is in the 
node active, and hence intuitively is active, from a technical point of view, we don’t 
see it as requiring time slots, since it does not take any transitions. 

Now it can receive an ap_down signal from the AP, ordering it to close down. It 
then proceeds (up, left - referring to the approximate position on the figure) by reset- 
ting the timer - reset ! , indicating that now it wants processor time slots necessary 
to close down. It then initializes the variables lsl_running (to 1) and lsl_data 
(to 0) preparing the activation of the LSL driver, initially assuming that there are no 
data. Note the “priority 0” guard - cur == 0 - and the time slot demand - t6 ! - 
requiring 6 micro seconds to initialize these variables. The time constant, and all other 
time constants in the model, have been estimated by the protocol developers at B&O. 
When the driver later returns, it will have set the variable lsl_running to 0, and now 
the lOP can check the value of lsl_data. The driver is, however, first activated with 
the assignment of 2 (close down) to the variable lsl_command in the edge leading to 
the node driver_calll. 

In this node the lOP waits for the driver to finish its job. If at that point, in node 
driver_returnl, lsl_data equals 1 there is data, and the lOP must activate the 
driver - lsl_command is assigned the value 3 - and it must respond to the AP with a 
negative acknowledgment - ap_down_nack ! . If on the other hand lsl_data equals 
0, then there are no data on the link, and the lOP can proceed successfully to close 
down, next checking whether there are any interrupts. First, however, it acknowledges 
via an ap_down_ack! signal to the AP, and then goes to the node insert_noop 
(up, right) to check interrupts. A possible trace from here leads to the node standJcy, 
where the lOP is sleeping, and can only be wakened by an interrupt. The waiting for 
an interrupt is done by issuing a wait_int ! signal to the timer just before entering 
the standJcy node. When an interrupt occurs thereafter, the timer will ensure that the 
lOP is re-activated immediately. 
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Fig. 10. The lOP 



If on the other hand, before reaching the stand Joy node, an interrupt has already 
occurred, then the lOP will avoid going into that node and instead go directly to the 
wake_up node. Hence, in this node we assume that an interrupt has occurred, and now 
the LSL driver has to be re-started, since apparently there must be data. This means re- 
initializing the variables lsl_running and lsl_data, and then assigning the value 
1 (initialize) to lsl_command. In the node driver_call2, the lOP then waits for 
the LSL driver to return. If there is data - lsl_data equals 1 - the AP is asked to 
become active - ap_active ! - and the lOP goes into the node active. Note that 
when entering this node, await! signal is issued to the timer to dis-activate it. If on the 
other hand there are no data - lsl_data equals 0 - then what has been encountered 
is noise, and the node noise is entered. In this node the lOP wants to close down, but 
before doing this, the driver is asked to close down - lsl_command is assigned the 
value 2. The lOP then waits in the node driver_return3 for the drivers response. 

Now, if there is data - lsl_data equals 1 the AP is activated - ap_active ! - 
and the node active is entered. If on the other hand there are no data - lsl_data 
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equals 0 - then the lOP returns to the node insert_noop (up, right), ready to check 
the interrupts again, and close down (if an interrupt does not occur, etc.)- 

Note that some transitions labeled with channel communications are not labeled 
with the priority guard cur == 0. These channels are elsewhere dehned as urgent, 
meaning that communication must take place immediately whenever enabled. 



6 Verification of Selected Properties 

In this section a collection of properties will be formulated and verihed using the Up- 
PAAL logic and verification tool. In order to verify these properties, a set of techniques 
for annotating the model and for defining observer automata have been applied. These 
techniques are presented hrst. Then follows the formulation and verihcation of the in- 
dividual properties of which there are 15. 

6.1 Model Annotation and Test Automata 

Amongst the properties formulated by B&O, in particular three kinds were typical and 
needed special techniques. The general principle behind the three techniques, to be de- 
scribed below, is to annotate the model by adding new variables or communication 
actions, and then observe these, either by mentioning the variables in the formulae to be 
verified (the hrst two techniques) or by letting the new communication actions synchro- 
nize with a furthermore added observer automaton (the third technique). The need for 
these techniques is caused by the existing logic in which it only is possible to state prop- 
erties like: “A [ ] p” and “Eop”, where p is an atomic predicate over program variables 
and nodes (hence no nesting of modal operators). Theoretical as well as practical work 
is currently undertaken to extend the Uppaal logic, dehning translations into model 
annotations and observers as outlined below. 

The Flag Technique The hrst technique, called the Flag technique for later refer- 
ence, is illustrated in Figurej^ Suppose we have an automaton A containing two states 
(amongst others): a and b, and suppose we want to verify, that “there is a path from a 
fo b”. 





Fig. 11. Automaton A and its annotation 
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Note, that the current logic does not allow nested modal operators, hence it is for 
example not possible to state this as: “E<> (a and Eob) ” saying that there exists 
a path such that eventually node a is reached and from there node b can be reached. The 
technique consists of annotating automaton A, obtaining automaton Annotated_A, by 
adding a boolean variable a_reached, which initially has the value 0, and which 
is assigned the value 1 when passing through a. The property can now be formally 
stated as follows: “E<> (b and a_reached == 1 )”. That is, eventually node b is 
reached, after having passed through node a. 

The Debt technique The second technique, called the Debt technique, is illustrated 
in Figure IT^ Suppose we have an automaton B containing three states (amongst others): 
a, b and x, and suppose we want to verify, that “every path from a to b must pass 
through x”. 





Fig. 12. Automaton B and its annotation 



In an imagined extended logic this could be formulated as follows: 

“A[] (a imply ((not b) Until x) )” saying that if at any time a is reached, 
then “not b” will hold until x has been reachecfl The technique consists of annotating 
automaton B, obtaining automaton AnnotatedJB, by adding a boolean variable debt, 
which initially has the value 0, and which is assigned the value 1 when passing through 
a. Furthermore, when passing through x it is reset to 0 - the debt has been “cashed”. 
The property can now be formally stated as follows: “A [ ] b imply debt == 0”. 
That is, if at any point node b is reached, then debt must not be 1, since that would 
indicate that node a had been reached before, but not x in between. 

The Observer Technique The last technique, called the Observer technique, is il- 
lustrated in FigureEl Suppose we have an automaton C containing two nodes (amongst 
others): a and b, and suppose we want to verify, that “from node a, node b must be 
reached within T time units” . 

In an extended logic this could be formulated as follows: “A [ ] (a imply A<T> 
b ) ” saying that if at any time a is reached, then eventually - within T time units - node 

® Note that the Until operator here must be weak in the sense that node x need not be reached 
at all, and hence node b need not be reached neither, which is what we want. 
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Fig. 13. Automaton C, its annotation and observer 



b will be reached. The technique consists of annotating automaton C, obtaining au- 
tomaton Annotated_C, by adding two kinds of communication actions, each of which 
communicates with an added observer that measures time. Let’s first look at Anno- 
tated_C. When in node a, a begin ! signal can be issued, telling the observer to start 
measure time. When reaching node b, no matter along which path, an end ! signal is is- 
sued, telling the observer to stop measure time. The channel end is declared as urgent, 
hence it will be taken as soon as node b is reached. 

The Observer automaton rests in the start node until it receives a begin? signal 
(node a reached), where after it initializes its local clock c and enters the node wait 
where time can progress. Time can, however, only progress T time units due to the 
node invariant, where after the node bad is entered. If on the other hand an end? 
signal is received before that, then the node good is entered. The property can now be 
formally stated as a property of the observer: “A [ ] not bad”. That is, the Observer 
will never reach node bad: an end? signal will always be received (b reached) before 
T time units. 

6.2 Property Verification 

In this section we shall present the results of analyzing in Uppaal various desired prop- 
erties. The properties as directly formulated by B&O are listed below, with explanatory 
comments in brackets. The listing is just supposed to give the reader a general feeling 
of the kinds of properties formulated. 

1. sleeping must not change from 0 to 1 while sleep.op has the value 0. (The lOP must 
not go to sleep if there has been an interrupt - see Figure Ufor an explanation of these 
variables. ) 

2. There must be a path from active to standjay and vice versa. (It must be possible for 
the lOP to switch between its two final states.) 

3. Every path from active to noise must pass through standjcy (The lOP must have 
been asleep before reaching the noise state where it on its way up due to an interrupt 
discovers that the interrupt is “false", and hence caused by noise only.) 

4. The variable sleeping must not change from 0 to 1 while lsl_interrupt is 1 or 
ap_interrupt is 1 (The lOP must not go to sleep as long as there is an untreated inter- 
rupt.) 
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5. The shortest way from driver_returnl to driver_call2 does not take more than 
1500 fis (If the lOP on its way down verifies that the link is empty by calling the driver, and 
then immediately thereafter data arrive (an interrupt occurs) no more than 1500 ps must 
pass before the driver is called again.) 

6. The shortest way from driver_returnl to active does not take more than 1500 ps (If 
the lOP on its way down discovers data on the link by calling the driver, then no more than 
1500 ps must pass before the lOP is active again.) 

7. The shortest way from driver_return3 to driver_call2 does not take more than 
1500 ps (LikeB but in a different place in the protocol ’s execution. ) 

8. The shortest way from driver_return3 to active does not take more than 1500 ps 
(Like^ but in a different place in the protocol ’s execution. ) 

9. If the last value of the variable lsl_command has been 1 or 3 (driver starting commands), 
then the value of sleeping must not change from 0 to 1 (If the last command issued to the 
driver was a ‘‘start command” , then the lOP must not go to sleep.) 

10. If the last value of lsl_command has been 3 (activate driver), then the next value must not 
be 1 (initialize driver), and vice versa (In between two driver starting commands must come 
a driver closing command. ) 

11. No more than 1500 ps must pass from an interrupt occurs until all drivers are active 

12. It must be possible for both interrupt handlers to want to assign 0 to sleep_op at the same 
time, while in addition this variable’s value is already 0 (Intuition missing - “technical” 
property. ) 

13. If both interrupt handlers want to assign 0 to sleep_op at the same time, then the lOP will 
be in one of the nodes: set_stand_by, check_interrupts, check_noop, 
w.standJsy, stand-by, or wake.up (If both an LSL and anAP interrupt occur, and both 
interrupt handlers believe that the lOP is approaching stand by mode, then this is the case. ) 

14. It must be possible to come from the node noise to the node stand-by (In case lOP has 
discovered noise on the link, it will reach stand by mode and go to sleep, unless data arrive. ) 

15. I should not be possible to come from the node stand-by to the node active without 
synchronizing on the channel ap-active (The lOP cannot get from stand by mode to 
active mode without activating the AP. ) 

Figure O shows the verification results, indicating the outcome (satisfied or not) 
and the verification technique used. Those properties not verified using any of the three 
techniques outlined in section lOl have been verified using other and simpler techniques: 
“triviar means the property was seen correct without verification, “formula” means that 
the property could be directly stated in the Uppaal temporal logic. Finally, “formula 
+ aux. variable” means that by adding an additional variable being updated in appro- 
priate places, the property could be directly stated in the UPPAAL temporal logic. The 
properties were verified using UPPAAL version 2.17 from March 1998, on a Sun Ultra 
Sparc 60 with 512 MB main memory. 

Properties 3 and 12 turned out not to be satisfied, and after having examined the 
error traces B&O recognized that these properties were wrongly formulated and hence 
the “error” traces showed valid behaviors. 

Properties 5-8, on the other hand, are interesting in the sense that their verifications 
failed and caused B&O to reconsider their design. In particular property 5 gave an 
error trace, where a single LSL interrupt and 18 AP interrupts, all consuming time, are 
generated before the next driver call. As a result, B&O decided to only allow one AP 
interrupt to occur in their implementation. 
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Fig. 14. Verification results 



7 Conclusion 

During a period of 3 weeks, a model of B&O’s Power Down protocol was developed 
and verified using the Uppaal language and model checker. The first week consisted 
of an intense collaboration between AAU and B&O, where the B&O representative vis- 
ited AAU. During this week, a first sketch of the model was written down in Uppaal’s 
language. The model was based on an initial design sketch made by the company rep- 
resentative. The work carried out during the following two weeks was mainly carried 
out by AAU. Hence, during the second week, a technique was introduced for dealing 
with timed transitions and interrupts. During this same week, the model was reduced by 
omitting certain components in order to obtain a model being verifiable within reason- 
able time and memory space. In other words, at the end of the second week, a model 
was produced that was ready for verification. At the beginning of the third (and last) 
week, various properties to be verified were formulated by B&O in natural language. 
These were then translated into the Uppaal temporal logic, together with various mod- 
ifications to the model, and all verifications were then carried out. 

After the collaboration, the company made a C-code implementation, and after a 
testing phase (which did not reveal any design errors), the implementation is by now 
ready to be put into operation in the new company product. 

During the development of models, we found that the notion of timed automata 
and their graphical representation served extremely well as a communication medium 
between the industrial protocol designer and the tool expert doing the simulation and 
verification. In addition, the graphical simulation features of UPPAAL lead to fast de- 
tection of (obvious) errors in the early models. 

The protocol was verified correct wrt. the 15 properties formulated by B&O, and 
although no bugs were identified, various critical time constants were identified, which 
should be obeyed in order to keep the protocol correct. Various unexpected, but correct, 
behaviors were furthermore demonstrated, challenging the understanding of the pro- 
tocol. Overall, the experience appeared to increase B&O’s confidence in their design. 
The fact that 3 errors were caught during the modeling phase suggests that just spec- 
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ifying a system can be very informative. In fact, B&O claimed they had got a better 
understanding of their system this way. 

The collaboration has been beneficial for both partners: B&O now considers tools 
like Uppaal as viable means to improve the design process for time-critical software. 
Also, in order to model the system, we have developed techniques for modeling timed 
transitions and prioritized interrupts. A timed transition is a transition which consumes 
time, like code in a program which takes time to execute. It is a special circumstance, 
that several processes run on a single processor. To the best of our knowledge, such 
techniques have not been presented elsewhere. 

What concerns the UPPAAL tool set, we anticipate investigating techniques for ver- 
sion control, (keeping track of several related models), and we consider tool support for 
defining abstractions. Both themes appear non-trivial in fact. Concerning the UPPAAL 
language, a technical contribution of the work is a way of modeling timed transitions 
and interrupts in a setting where several processes share one processor. In the forth- 
coming new version of UPPAAL, the introduction of parameterized timed automatons 
will support a more structural way to define time consuming transitions than we have 
presented in this paper. In mu, the problem of supporting task scheduling is treated. It 
is likely that this work will be included in later versions of UPPAAL. 

In this work, we have sketched a number of patterns which may be used to define 
properties of real-time systems. In on the limits of Uppaal’s model checking lan- 
guage are characterized. In future versions of Uppaal, its timed logic will be modified 
according to these results - thereby supporting the definition of the patterns in a more 
direct way. 
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Abstract. In this paper we study the issue of progress for distributed 
timed systems modeled as the parallel composition of timed automata. 
We clarify the requirements of discrete progress (absence of deadlocks) 
and time progress (absence of deadlocks and timelocks) and give static 
sufficient conditions for a model of TA to be deadlock- and timelock-free. 
We also present dynamic techniques for deadlock and timelock detection. 
The techniques are based on forward symbolic reachability and are on- 
the-fly, that is, they can return an answer as soon as possible, without 
necessarily having to construct and store the whole state space. 



1 Introduction 

Distributed timed systems are systems consisting of a number of communicating 
components, the behavior of which depends on timing constraints. Distributed 
timed systems have become increasingly interesting because on the one hand 
they are used in critical applications and on the other hand they are complex 
enough so that it is not obvious to prove their correctness. Formal verification 
techniques are used for this purpose: the system and its desired properties are 
described formally using mathematical models; then, it is checked whether the 
system’s model satisfies the properties. 

What is implicit (thus, informal) in the verification process is modeling. There 
are few ways to ensure that the system’s model captures correctly the behav- 
iors of the system and that the property’s model corresponds to the expected 
property. An obvious way is by trial-and-error: the models are built in stages, 
and are modified during the verification process, until they are believed to be 
realistic enough. A more systematic way to ensure sanity of the system’s model 
is to check that it satisfies the property of progress, that is, the ability to execute 
forever. Progress is usually a minimal requirement: if it does not hold, then the 
model is probably wrong, since the real system is not supposed to stop[3. 

In this paper we study the issue of progress for timed systems modeled as 
timed automata (TA) |A(1D93|IHNSY94| . The requirement of progress is partic- 
ularly relevant in this model, especially in cases where the system is composed by 

* This work has been done at Verimag. Currently, the author is at UC Berkeley as 
a post-doctoral scholar. Current address: 275M Cory Hall, UC Berkeley, 94720 US. 
Tel. -1-1 510 642 5649, Fax. -1-1 510 642 6330. E-mail: stavros@eecs.berkeley.edu. 

^ This is a convenient simplifying hypothesis, which does not result in loss of gener- 
ality: if the system may terminate execution in some legal end state, we can assume 
that it can continue performing infinitely often “dummy” actions which do not mod- 
ify its state. 

J.-P. Katoen (Ed.): ARTS’99, LNCS 1601, pp. 299- ITni 1999. 
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more than one components (this is most usually the case for realistic systems). 
The parallel composition operator typically used in TA involves conjunctive syn- 
chronization semantics, which can lead to unexpected behaviors of non-progress. 
Therefore, a need for methods to detect this problems during modeling has been 
expressed by users of TA verification tools (see, for instance, IBFK+98n . 

After recalling TA (section 0) we clarify the notion of progress in timed sys- 
tems (section 13). Unlike untimed systems which have only one type of evolution 
by discrete state changes, TA evolve in two possible ways, namely, either by 
taking a discrete transition or by letting time pass. Accordingly, there are two 
progress requirements related to TA, namely, discrete and time progress. 

The discrete progress requirement states that it should be possible to take 
discrete transitions infinitely often. It corresponds to the (unique) progress re- 
quirement in untimed systems, that is, deadlock-freedom. In the timed context, 
deadlocks are states from which no discrete transition is possible, even after 
letting time pass. 

The time progress requirement states that it should be possible for time to 
diverge, that is, elapse without upper bound. This requirement is justified by 
our intuition about the physical world we are trying to model, summarized in 
the following hypothesis: 

Any physical process, no matter how fast, cannot be infinitely fast. 

The above hypothesis implies that only a finite (possibly unbounded) number 
of events can occur in a certain (positive) amount of time. Executions which 
violate this property are called zeno. In a deadlock-free model, time progress 
corresponds to the absence of timelocks, that is, states from which all possible 
infinite executions are zeno. 

In section 0 we give conditions ensuring that a TA model is deadlock- and 
timelock-free. These conditions are sufficient but not necessary, since they are 
static, that is, they take into account the discrete structure of the TA but not 
the reachable state space in the presence of timing constraints. On the other 
hand, they can be quite useful in practice, since they are not expensive to check. 

In section 0 we present dynamic techniques for detecting deadlocks and time- 
locks. These techniques are both sound and complete, that is, they only detect 
true deadlocks or timelocks, whereas they fail only when the model is deadlock- 
or timelock-free. The techniques are also on-the-fly: they are based on a, forward 
symbolic reachability which covers all reachable state space. In the case of dead- 
locks, they are detected locally on each visited node in the symbolic reachability 
graph. In the case of timelocks, they are detected using a nested reachability 
starting from each visited node. In both cases an answer can be returned as 
soon as possible, and diagnostics can also be provided. 

Related work. Although progress is not explicitly discussed in the original work 
of Alur et al. !ACD93j , their region graph construction can be used for deadlock 
and timelock detection: viewing the region graph as an untimed graph, deadlocks 
can be detected as usual, by finding sink nodes in this graph; timelocks can be 
detected by encoding non-zenoness as a generalized Biichi acceptance condition 
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and solving an untimed emptiness problem. Although theoretically possible, both 
these approaches are too expensive in practice, mainly due to the very large size 
of the region graph. 

Timelock-freedom is handled in |H NSY04] using a symbolic technique based 
on a backward fix-point computation q Informally, a TA is timelock-free iff 
it satisfies the TCTL formula init ^ VD 3C>>itrue. Although this approach is 
feasible, it has some important drawbacks, namely: 

— It is not on-the-fly, since the fix-point computation must terminate before 
an answer can be returned. 

— It does not provide diagnostics, except in a very primitive form, namely, 
the characteristic set of a formula. Usually what is needed as diagnostics is 
sample executions. 

— It considers the whole potential state space, whereas what is interesting is 
only the reachable part of the state space. 

More recently, the work of Sifakis et al. iBssg Esna EOT treats the 
problem from a different perspective. Instead of checking that the model satisfies 
progress, this work aims at developing a theory of composition of timed systems 
which guarantees progress as much as possible. 

2 Background 

2.1 Dense State Spaces 

Clocks and valuations. Let R be the set of non-negative reals and X = {x\, ...,Xn\ 
be a set of variables in R, called clocks. An X -valuation is a function v : A i-^- R. 
We write 0 for the valuation that assigns zero to all clocks. For some X C X, 
v[A := 0] is the valuation v', such that Va; e A . v'(a;) = 0 and Vx ^ A . v'(x) = 
v(x). For every S G R, v -|- 5 (resp. v — 6) is a valuation such that for all x G X, 
(v -I- 6){x) = v(x) -I- d (resp. (v — (5)(x) = v(x) — 6). Given c S N, two valuations 
V and v' are called c- equivalent if: 

— for any clock x, either v(x) = v'(x), or v(x) > c and v'(x) > c; 

— for any pair of clocks X, y, either v(x)—v(y) = v'(x) — v'(j/), or v(x) — v(y) > 
c and v'(x) — v'(y) > c. 

Polyhedra. An atomic constraint on X is an expression of the form x ^ c or 
X — y ^ c, where x,y G X, {<,<,>,>} and c S N. An A-valuation v 
satisfies the constraint x ~ c if v(x) ~ c; v satisfies x — y ~ c if v(x) — v(y) ^ c. 

An X -hyperplane is a set of valuations satisfying an atomic clock constraint. 
The class Hx of X -polyhedra is defined as the smallest subset of 2*^ which 
contains all A-hyperplanes and is closed under set union, intersection and com- 
plementation. 

^ Deadlocks are not considered, since they are meaningless in the TA model 
of |H INSYh^ (see remark P). 
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We often use the following notation for polyhedra: we write x < 5 for the 
hyperplane defined by the constraint a;<5,a;<5A?/ = 2for the polyhedron 
defined as the intersection of a; < 5 and y = 2, and so on. We also write true for 
R'^ (equivalently, /\^^xX > 0), false for 0 (equivalently, /\xex ^ 
for { 0 } (equivalently, 2^ = 0)- 

A polyhedron C is called convex if for all vi,V 2 € for ^tny 0 < 5 < 1, 
<5vi + (l — <5 )v2 G (■ a polyhedron is convex iff it can be defined as the intersection 
of a finite number of hyperplanes. On the other hand, if C is non-convex then it 
can be written as Ci U • • • U <^fc, where Ci, Cfc ^re all convex. We denote the set 
{Ci,...,Cfc} by convex(C). 



Operations on polyhedra. By definition, intersection, union and complementation 
are well-defined operations on polyhedra. Polyhedra difference is defined via 
complementation as: Ci \ C2 = Ci OC2- The test for inclusion Ci C ^2 is equivalent 
to Cl \ C2 = 0 - We now define some more operations which will be used in the 
sequel. Examples of operations are shown in figure [H 



c-closure. This operation is necessary for guaranteeing termination of the reach- 
ability algorithms given in section 0 

Given a convex A-polyhedron C and a natural constant c, the c-closure of C> 
denoted close(C, c), is the greatest convex A-polyhedron C^ 2 C> such that for all 
v' S C there exists v G C such that v and v' are c-equi valent. Intuitively, C^ is 
obtained by C by “ignoring” all bounds which involve constants greater than c. 
C is said to be c-closed if close(C, c) = C- 

Lemma 1. 1. If f is c-closed then it is c' -closed, for any d > c. 

2. If Cl and C 2 are c-closed then Ci H C 2 is also c-closed. 

3. For any f, there exists a constant c such that C is c-closed. 

From now on, CmaxiC) will denote the smallest constant c such that C is c-closed. 



Lemma 2. For any constant c, there is a finite number of c-closed X -polyhedra. 



Clock resets. We define the operations C[b^ := 0] and [Y := 0]C of forward and 
backward clock reset, respectively, as follows: 

C[r := 0] "A' {v[F := 0] I V G c} 

[F := 0]C = {v I v[F := 0] G C} 

Intuitively, C[b^ 0] contains all valuations which can be obtained from some 
valuation in C by resetting clocks in Y . It contains all valuations which, after 
resetting clocks in Y , yield a valuation in C- 
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Time elapse. We define the operations of backward and forward time elapse of 
an df-polyhedron ( to be the fb-polyhedra and respectively, such that: 

v'e/C iff 35 gR.v' + (5gC 
v'g/C iff 3,5 g R.v'- (5 gC 

The following result is easy to derive from the definitions. 

Lemma 3. If ( is convex and Y C X then := 0], [Y := 0]C, y C and y f 
are also convex. 



Effective representation, df-polyhedra can be effectively represented using the 
difference bound matrix (DBM) data structure, first proposed by [PiT^ . Con- 
vex fb-polyhedra can be represented by a single DBM, which can be reduced 
to a minimal (or canonical) form using an Odfbp) algorithm. A non-convex 
polyhedron f is the union of k convex polyhedra C = Ci U • • • U Cfc • Therefore, C, 
can be represented (in a non-canonical way) by a list of k DBMs, one for each 
polyhedron Ci, ...,Cfc. Semantic operations on polyhedra can be implemented as 
syntactic DBM transformations |Yov93L irniMl IDaw98l . 

It is more interesting to work with convex polyhedra, since they admit a 
memory-efficient representation (quadratic in the number of clocks) and time- 
efficient operations (cubic in the number of clocks). Non-convex polyhedra are 
more expensive (exponential worst-case time and space complexity). However, 
sometimes non-convex polyhedra are indispensable, for example, when the al- 
gorithms involve complementations or unions. In this paper we manage to use 
convex polyhedra as much as possible. In particular, the reachability analyses 
of section 21 are performed on convex polyhedra. Non-convex polyhedra are used 
temporarily, for instance, to check inclusion of a convex polyhedron in a union 
of convex polyhedra (section 14.211 . 



2.2 Timed Automata 

In the sequel. Labels denotes a finite set of labels. 

A timed automaton (TA) |A( h )9,3(lH NSYf??| is a tuple A={X, Q, qo,E, invar), 
where: 

— A is a finite set of clocks. 

— Q is a finite set of discrete states. 

— qo is the initial discrete state. 

— if is a finite set of edges of the form e = {q,f,a,X,q'). q,q' G Q are the 
source and target discrete states, a G Labels is a label. C is a conjunction of 
atomic constraints on X defining a convex A-polyhedron, called the guard 
of e. A C A is a set of clocks to be reset upon crossing the edge. 

— invar is a function associating with each discrete state q a convex A-poly- 
hedron called the invariant of q. 
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Given an edge e = {qX,o.,X,q'), we write source(e), target(e), guard(e), label(e) 
and reset(e) for q, q' , a and X, respectively. Given a discrete state q, we write 
in(g) (resp. out(g)) for the set of edges of the form (_, q) (resp. {q, _)). 

We assume that for each e G out(9), guard(e) C invar((;). Finally, Cmax{^) is 
defined as the maximum of CmaxiC): where C is a guard or an invariant of A. 

States. A state of A is a pair (g,v), where q £ Q is a, location, and v G invar((7) 
is a valuation satisfying the invariant of q. The initial state of A is (goi 0)- Two 
states (<7,vi) and (g, V2) are c-equivalent if Vi and V2 are c-equivalent. 

Transitions. Gonsider a state s = (9, v). We write s + J instead of (9, v + 5). A 
timed transition from s has the form s s + 5, where 5 G R and v + (5 G invar(g). 
s + 5 is called the 5-successor of s. Given an edge e = {q,Q.,a, X,q') such that 
V G C) ^ discrete transition with respect to e has the form s s', where 
s' = (9', v[reset(e) ;= 0]). s' is called the e-successor of s. 

We write s s' if, either i5 = 0 and s s' is a discrete transition, or 

<5 > 0, and s s" is a discrete transition and s" -i- s' is a timed transition. 

Runs. A run of A starting from state s is a finite or infinite sequence p = si ^ 
Si -\- Si ^ S 2 ^ S 2 + 62 ^ such that si = s and for all i = 1, 2, ..., Sj + Si is 
the (5-successor of Si and s^+i is the Ci-successor of Si -\- Si. The i-th point of p, 
denoted p{i), is defined to be Si, for 5 = 1,2, .... The waiting delay of p at point 
i, denoted delay(p, 5), is defined to be Si. All states p{i) where the run spends 
no time, that is, where delay(p, i) = 0, are called transient states. The elapsed 
time until point i, denoted time(p, 5), is defined to be the sum Aj<idelay(p, j). 
The total elapsed time during p, denoted time(p), is defined to be the limit of 
the sequence time(p, 5), if the sequence converges and 00 otherwise. 

A state s is reachable if there exists a finite run sq g^ for 

I > 0, where sq is the initial state of A. Let Reach{A) be the set of all reachable 
states of A. 

Remark 1. Our TA model differs from the one of IAGnh;fl in two points: first, 
we use invariants; second, we permit transient states. Invariants are useful for 
specifying the urgency of actions, especially in the context of many TA executing 
in parallel. Transient states are also useful when modeling sequences of actions 
that take a negligible amount of time. 

Our model is also different from the one of |HNSVD4j : in our semantics of 
runs there is an implicit requirement that discrete transitions are taken infinitely 
often, whereas !HNSVD4j permit executions where the TA stays forever in the 
same discrete state. Our definition is more general, since it permits to distinguish 
between the following cases: 

(1) an event a occurs eventually but we do not know when; and 

(2) an event a may never occur. 

We model case (1) by having an edge labeled a going out of a discrete state 
with invariant true. We model case (2) by adding a “dummy” self-loop edge to 
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the state. Using the definition of |H NSYQl) . case ( 1 ) cannot be modeled since 
a true invariant implies that there exists an infinite run staying forever in the 
corresponding state. 

Parallel composition of TA. A system is usually divided in parts, therefore, it 
is indispensable to be able to describe systems compositionally , that is, as a set 
of components which execute in parallel and communicate in a certain way. We 
adopt the usual model of parallelism for TA, based on the synchronous passage 
of time for all components and interleaving of discrete actions. Communication 
is modeled via action synchronization. 

More precisely, consider two TA Ai = (Aj, Qi, ft, invar^), i = 1 , 2 , such 
that Ai n A2 = 0 . Let Labelsi be the set of labels local to Ai, that is, Labelsi = 
{label(e) | e G Ei}, for i = 1,2. 

Given two edges Cj = {qi, ai, (i, Xi, qf) G Ei, i = 1 , 2 , we define the following 
composite edges: 

— If oi = 02 G Labelsi H Labels2, then the synchronization of e\ and 62 yields 
the edge 



ei||e2 — ((ft, 92), ai, Cl C C2, Ai U A2, (ft, 92)) 

where Ci , C2 are viewed as polyhedra on X\ U so that the intersection 
Cl C C2 is well defined. 

— If ft ^ Labelsi H Labels2 for both z = 1 , 2 , then the interleaving of e\ and 62 
yields the edges 



ei||-L = ((ft, 92), oi, Cl, -Ai, (g(, ft)) 

J-||e2 = ((ft, ft), 02, C2, A2, (ft, ft)) 

The parallel composition of Ai and A2, denoted A1HA2, is defined to be 
the TA (Xi U X2,Qi x Q2, (ft , ft), -U, invar), where, for q G Qi and q' G Q2, 
invar(q,q') = invari((7) n invar2((7'), and the set of edges E contains all compos- 
ite edges of the form ei||e2, ei||T, U||e2, for e\ G Ei,C2 G A2. That is, the 
two automata synchronize on their common labels and interleave on their local 
labels. 

3 The Requirement of Progress in Timed Systems 

In this section we define formally the requirements of discrete and time progress, 
under the notions of deadlock- and timelock- freedom, respectively. We also give 
sufficient but not necessary conditions to ensure deadlock- and timelock-freedom 
in a model of one or more TA. These conditions are static, that is, they take into 
account the discrete structure of the TA but not the reachable state space in the 
presence of timing constraints. This is why the conditions are not necessary: an 
untimed behavior of the TA which does not satisfy the conditions might not be 
valid when the timing constraints are considered. 



Verifying Progress in Timed Systems 



3.1 Discrete Progress 

Discrete progress is captured by the notion of deadlocks. 
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Deadlocks. A state s of a TA A is a deadlock if there is no delay i5 € R and edge 
e G E such that s -i-A s'. A is deadlock-free if none of its reachable states is a 
deadlock. 

We can characterize deadlock-freedom of A by a local condition on its reach- 
able states. Let g be a discrete state of A and define: 

free(g) [J ^guard(e) n ([reset(e) := 0]invar(target(e)))^ 

eGOUt(g) 

Intuitively, free(q) contains all valuations v such that the state (g,v) is not a 
deadlock. The following lemma follows from the definitions. 

Lemma 4. A is deadlock-free iff for each (g, v) S Reach{A), v G free(g). 

A static sufficient condition for deadlock-freedom. Based on the above character- 
ization, a static sufficient condition for deadlock-freedom is given in the following 
lemma. 

Lemma 5. A is deadlock-free if for each discrete state q and for all e G in(g), 
the following condition holds: 

((guard(e))[reset(e) := 0]) n invar(g) C free(g) 

We should note that the above condition is not compositional, that is, two TA 
might satisfy the condition while their parallel composition does not. However, 
it is still useful, since it can be checked on the syntactic parallel product of a set 
of TA, which is usually much smaller than a semantic graph which also contains 
clock information, such as the graph defined in the next section. 

3.2 Time Progress 

Zeno runs. Consider an infinite run p such that time(p) oo, that is, there exists 
t G R such that for all i, time(p, i) < t. Such a run is called zeno, and corresponds 
to a pathological situation, since it violates the first of the above time-progress 
requirements. As an example, consider the TA Ai shown in figure 0 Its run 

p = (go, X = 1) (go, X = 1.5) ^ = 1.75) • • •, where time(p) = 2, is 

zeno. In fact, any run of Ai taking only a-transitions is zeno. 

Timelocks. Timelocks are states violating the time-progress requirement. For- 
mally, a state s of a TA A is a timelock if all infinite runs starting from s are 
zeno. A is timelock-free if none of its reachable states is a timelock. 

Notice that a deadlock is not necessarily a timelock, neither the reverse. For 
example, the TA Ai of figure 0 is deadlock- free, but all its states (go, 1 < x < 2) 
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X > I X > I 

X := 0 ^ X := 0 




A2 



Fig. 2. A TA with timelocks (left) and a strongly non-zeno TA (right). 



are timelocks since they are bound to stay to go taking forever a-transitions. On 
the other hand, if the a-edge was missing, these states would be deadlocks but 
not timelocks, since they would have no infinite runs starting from them at all. 

The following lemma characterizing timelock-freedom of a TA A is inspired 
from 

Lemma 6. A is timelock-free iff for each s G Reach(A), there exists a run p 
starting from s, and some point i in p, such that time(p, f) > 1. 

Strongly non-zeno TA. Consider a TA A. A structural loop of A is a sequence 
of distinct edges ei • • • e™ such that target(ej) = source(ci+i), for all i = 1, ..., m 
(the addition i + 1 is modulo m). A is called strongly non-zeno if for every 
structural loop there exists a clock x and some 0 < i, j < m such that: 

1. a; is reset in step i, that is, x G reset(ci); and 

2. X is bounded from below in step j, that is, (a; < 1) n guard(ej) = false. 

Intuitively, this means that at least one unit of time elapses in every loop of A. 
For example, the TA A 2 of figured is strongly non-zeno (this would not be the 
case if any of the guards a: > 1 was missing) . 

Strong non-zenoness is interesting since it dispenses us with the burden of 
ensuring time progress. Another nice characteristic of strong non-zenoness is 
that it is preserved by parallel composition, so that it can be efficiently checked 
on large systems. 

Lemma 7. 1. If A is strongly non-zeno then every infinite run of A is non- 

zeno. 

2. If A, A' are strongly non-zeno, so is A||A'. 

The above lemma provides a static sufficient condition for timelock-freedom. By 
part 1 of the lemma, a strongly non-zeno TA is also timelock-free. By part 2 of 
the lemma, the test for strong non-zenoness can be done in a compositional way. 
By definition, the test for strong non-zenoness is static. 

Remark 2. When modeling a system, it is often the case that some of its com- 
ponents are untimed, that is, they can be modeled using simple finite-state ma- 
chines without clocks. These components can be considered strongly non-zeno 
by convention, so that their parallel composition with the rest of the system does 
not affect the strong non-zenoness of the global system. 
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The meaning of different variants of zenoness. We finish this section by sum- 
marizing the meaning of notions related to time progress introduced above. 

— Deadlocks and timelocks correspond to modeling errors, since any TA as- 
sumed to capture the behavior of a real system correctly should act infinitely 
often and not block time. 

— TA which are not strongly non-zeno model systems where an unbounded 
number of events can occur in a finite amount of time. For example, the 
TA A\ on figure 0 can perform an unbounded number of a-transitions in 2 
time units. Such systems are useful sometimes, for instance, when modeling 
a sender which can emit messages arbitrarily fast. 

— Strongly non-zeno TA model systems where only a bounded number of events 
can occur in a finite amount of time. For example, the TA A2 on figure Elcan 
perform at most two a-transitions in 2 time units. Most systems in practice 
are strongly non-zeno. 



4 On-the-Fly Deadlock and Timelock Detection 

In this sections we present algorithms for deadlock and timelock detection. The 
algorithms are on-the-fiy, that is, they return an answer as soon as possible, 
without necessarily building the whole state space. Both algorithms are based 
on a symbolic reachability imHi, where the state space represented as a graph 
the nodes of which are sets of states (symbolic states) and the edges of which 
correspond to symbolic successor operations. For simplicity, the algorithms are 
presented taking as input a single TA A. It is straightforward to extend them 
to take as input the parallel composition Ai|| • • • \\Ak of a number of TA and 
generate on-the-fly the symbolic state space of the composite automaton. 

The algorithm for deadlock detection uses a simple depth-first search (DFS) 
to generate the symbolic graph and check at the same time that for each visited 
symbolic state S', no state in S is a deadlock. 

The algorithm for timelock detection is more sophisticated. It is based on 
lemma El and uses a nested reachability: at the outer level, a DFS is performed 
to generate the symbolic graph; for each visited symbolic state S, an inner-level 
reachability is performed, to compute the states of S from which time can elapse 
at least by one time unit. If some states in S do not satisfy this property, then 
these states are timelocks. 

4.1 Symbolic Reachability 

Consider a TA A with discrete states Q and clocks X. A symbolic state of A is 
a set of states S = {(9, v) | v G i^}, where q & Q and ( is an A-polyhedron. For 
simplicity, we denote S as ( 9 , C)- If C is convex, then S is called a zone. If f is 
non-convex, we write convex(S') instead of {( 9 , CO I C G convex(C)}. 

Given a zone S = (9, C), two edges ei = (9, Ci, Aii, 91) and 62 = (92, ( 2 ,^ 2 , q) 
of A, and a natural constant c > Cmax{A), we define the following successor and 
predecessor operations: 
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post(S',ei) rgi,close(/’((CnCi)[^i := 0]),c)) 

pre{S,e2) =' (92, ([^2 := 0 ](/C)) H C2) 

Intuitively, post() contains all states (and their c-equivalents) that can be reached 
from some state in ( 5 , ^), by taking an e-transition, then letting some time pass; 
pre() contains all states that can reach some state in {q, () by taking an e- 
transition, then letting some time pass. Since all operations preserve convexity 
of polyhedra, the result of post() and pre() is a zone. 

Based on the above operations, we present the algorithm for symbolic reach- 
ability shown in figure 0 The algorithm takes as input an initial zone So and a 
set of target zones Z. It returns as output a zone S C So, such that all states in 
S can reach some state in some zone in Z. li S = 0, then no state in So can reach 
a state in some zone in Z. Visit is the set of currently visited nodes, initially 
empty. 

The algorithm works by exploring on-the-fly symbolic paths, that is, sequences 
of the form tt = Sq ^ Si, where for f = 0, ..., I — 1, Si+i = post(S'i, e^). 

When the last zone in the path. Si, intersects the target zones, then the whole 
path is pre- stabilized in a backward way, to compute all states of So which can 
lead to the target zone along this path. This operation yields S C So such that 

Vs G S . 3p = s Si si^ where Si G Si, for z = 1, ..., 1. 

It is important to notice that not all states of So which can reach Z are 
included in S, that is, it might be the case that some states in Sq\ S can still 
reach Z by another path. On the other hand, if a target zone is hit, then S is 
guaranteed to be non-empty, by the properties of the post() operator nnnHi. 
Termination of the algorithm is ensured by lemma |3 



Reach (So, Z) { 
let So = {qo, Co) ; 

if (3(g, C) G -Z . <7 = <70 A C n Co 7 ^ 0) then return {q, C H Co) ; (1) 
Visit := Visit U {So} ; 
for each (e G out(qo)) do 

(qi,Ci) := post(So,e) ; (2) 

if (Cl = 0) then continue ; 

else if (3(qi,Ci) G Visit . Ci C ({{) then continue ; (3) 

else 

Si Reach((qi, Cl), .2) ; 

if (Si 7 ^ 0) then return So H pre(Si,e) ; (4) 

end if 

end for each 

return 0 ; (5) 

} 



Fig. 3. Symbolic reachability. 
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4.2 Deadlock Detection 

The procedure Reach can be directly used for deadlock detection. Given a TA 
A = (A, Q, go, E, invar), it suffices to define the set of target states as follows: 

convex(g, invar(g) \ free( 9 )) 

qeQ 

Then, by lemma 0, A is deadlock-free iff Reach) (go, zero), Z^) returns 0. 

In fact, the test of line (1) in the algorithm of figureOcan be optimized as 
follows. Since, by definition, each visited zone (g, C) is such that ( C invar(g), 
testing ( n (invar(g) \ free(g)) = 0 is equivalent to testing ( \ free(g) = 0. 

Finally, it is worth noticing that in case a deadlock is found, the algorithm 
can be extended in a straightforward way to provide diagnostics showing how 
the deadlock can be reached. 

4.3 Timelock Detection 

Complete Symbolic Reachability. As mentioned above, the reachability pro- 
cedure Reach(S'o,Z) of figure 01 is not complete, in the sense that it does not 
return the greatest subset of Sq which can reach Z, but only some non-empty 
subset. On the other hand, the algorithm is sound in the sense that if it returns 
an empty subset, then no states in Sq can reach Z. 

To find timelocks, we develop a complete reachability procedure, 
called CompleteReach, based on the partial reachability procedure Reach. 
CompleteReach is shown in figure 0 It takes as input an initial zone Sq and 
a set of target zones Z and returns the greatest subset S C So such that no 
state in S can reach Z. S is not necessarily convex, thus, it is represented as a 
set of zones Zq. 



CompleteReach(S'o, Z) { 

Zo := {5o} ; 

while (3S = (g,C) G Zo) do 
S' := Reach)^, Z) ; 

Zo := (Zo \ {S}) U convex(S \ S') ; 
end while 
return Zo ; 

} 

Fig. 4. Complete symbolic reachability. 



Starting from S = Sq, the algorithm first computes using Reach a subset S' 
of S reaching the target zones. Since it might be that the symbolic state S\S' is 
not empty, and some states in it can still reach the target zones, the algorithm 
substitutes S' by S' \ 5" and repeats the procedure. S \ S' is not always a zone. 
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that is, if S' = (g, C) and S' = (g,C0> then C \ is not always convex. Since 
Reach performs reachability only on zones, C \ tias to be “split” into a number 
of convex polyhedra using the convex() operator. Then, Reach is called for each 
of the resulting zones. 



Nested Reachability for Timelock Detection. To detect timelocks on a TA 
A, we use a nested combination of the partial reachability procedure of figure 0 
and the complete reachability procedure of figure 0 At the outer level. Reach is 
applied to generate the reachable zones of A one by one. For each zone S, an 
inner-level complete reachability is performed on an extended TA A~^ . A~^ uses 
an auxiliary clock z to find which of the states in S cannot let time elapse for 
one time unit. 

More precisely, consider a TA A = {X,Q,qo,E,\n\/ar) and let A+ be the 
TA (A U {z}, Qj gO) ^^7 invar), where z ^ A. Also let Z>i be the set of zones 

{(g ,2 > 1) I g e Q}- 



TimelockReach(S) { 
let S = (g,C) ; 

Z CompleteReach^+ ((g, ^ n z = 0), .Z>i}) ; 
if (Z A 0 ) then return ‘ ‘YES’ ’ ; 

Visit := Visit U {S} ; 
for each (e £ out(q)) do 
(gi,Ci) := post(S',e) ; 
if (^1 = 0) then continue ; 

else if (3{qi,Ai) £ Visit . C then continue ; 

else if (TimelockReach((gi, (^i)) = ‘‘YES’’) then return ‘‘YES’’ ; 

end if 

end for each 
return ‘ ‘ NO ’ ’ ; 

} 



Fig. 5. Nested reachability for timelock detection. 



The algorithm for timelock-detection is shown in figure 0 The outer-most 
reachability procedure, TimelockReach, is identical to procedure Reach of fig- 
ure 0 except that instead of checking the intersection of the currently visited 
zone S with a set of target zones, it checks whether there are states in S from 
which not even one time unit can elapse. For this, CompleteReach is called on 
A~^ with initial zone (g, ^flz = 0) and target zones Z>i. CompleteReach returns 
a set of zones Z which cannot reach any zone in Z>i. If Z is non-empty, then S 
contains timelocks. Notice that the outer-most reachability is performed on A, 
while the inner-most reachability is performed on A~^. 

Bylemma0 A is timelock-free iff TimelockReach((go, zero)) returns ‘ ‘NO’ ’. 
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5 Conclusions 

We have presented static and dynamic techniques for ensuring progress in a 
system modeled as the parallel composition of a set of timed automata. Our focus 
has been given on practicality. In the case of deadlocks, the static technique is 
interesting when the syntactic parallel product of the system is small, that is, the 
number of reachable discrete states is much smaller than the number of possible 
discrete states in the product. Otherwise, the dynamic technique is preferable. 

In the case of timelocks, the static technique (test for strong non-zenoness) is 
very efficient since it can be applied compositionally. Although not complete, this 
technique is useful in practice since most realistic systems are strongly non-zeno. 

The techniques are currently being implemented in the real-time verification 
tool Kronos. This tool already uses the forward symbolic reachability analysis 
to check safety properties such as invariance and bounded response. Experiments 
have proven that the size of the symbolic reachability graph is quite small in 
practice (see, for instance, fl J'lPiSj ). Since both dynamic detection techniques 
are based on this graph, they are expected to be efficient in practice. 
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Abstract. This paper discusses the adaptation of the PVS theorem prover for 
performing analysis of real-time systems written in the ASTRAL formal 
specification language. A number of issues were encountered during the 
encoding of ASTRAL that are relevant to the encoding of many real-time 
specification languages. These issues are presented as well as how they were 
handled in the ASTRAL encoding. A translator has heen written that translates 
any ASTRAL specification into its corresponding PVS encoding. After 
performing the proofs of several systems using the encoding, PVS strategies 
have been developed to automate the proofs of certain types of properties. In 
addition, the encoding has heen used as the basis for a transition sequence 
generator tool. 



1 Introduction 

A real-time system is a system that must perform its actions within specified time 
hounds. With the advent of cheap processing power and increasingly sophisticated 
consumer demands, real-time systems have become commonplace in everything from 
refrigerators to automobiles. Besides such numerous everyday uses, real-time 
systems are also being employed in more complex and potentially deadly applications 
such as weapons systems and nuclear reactor controls where deviation from critical 
timing requirements can result in disastrous loss of lives and/or property. It is thus 
desirable to extensively test and verify the designs of these systems to gain assurance 
that such disasters will not occur. A number of formal methods for real-time systems 
have been proposed [14] that provide a framework under which developers can 
eliminate ambiguity, reason rigorously about system design, and prove that critical 
requirements are met using well-defined mathematical techniques. Real-time systems 
are characterized by concurrency, asynchrony, nondeterminism, and dependence upon 
the external operating environment. Thus, the formal proofs of even simple real-time 
systems can be nontrivial. To make the verification of real-world real-time systems 
practical, mechanical proof assistance is necessary. 

One such form of assistance is an interactive theorem prover. Interactive theorem 
provers provide mechanical support for deductive reasoning. Each theorem prover is 
associated with a specification language in which a system and associated theorems 
are expressed. A theorem prover uses a collection of axioms and inference rules 
about its specification language to reduce a high-level proof into simpler subproofs 
that can eventually be discharged by basic built-in decision procedures that support 
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arithmetic and boolean reasoning. Theorem provers provide a number of forms of 
assistance, including preserving the soundness of proofs, finishing off proof details 
automatically, keeping track of proof status, and recording proofs for reuse. 

This paper discusses the adaptation of the PVS theorem prover [8] for performing 
analysis of real-time systems written in the ASTRAL [5] formal specification 
language. A number of issues were encountered during the encoding of ASTRAL 
that are relevant to the encoding of many real-time specification languages. These 
issues are presented as well as how they were handled in the ASTRAL encoding. A 
translator has been written that translates any ASTRAL specification into its 
corresponding PVS encoding. After performing the proofs of several systems using 
the encoding, PVS strategies have been developed to automate the proofs of certain 
types of properties. In addition, the encoding has been used as the basis for a 
transition sequence generator tool. 

The remainder of this paper is organized as follows. In sections 2 and 3, brief 
overviews of ASTRAL and PVS are given. In section 4, the issues encountered 
during the encoding of ASTRAL are discussed. Section 5 describes the ASTRAL to 
PVS translator. Strategies for automating ASTRAL proofs and the use of PVS to 
develop a transition sequence generator are presented in section 6. Section 7 
discusses related work. Finally, section 8 provides some conclusions and directions 
for future research. 

2 ASTRAL 

In ASTRAL [5], a real-time system is described as a collection of state machine 
specifications, each of them representing a process type of which there may be 
multiple statically generated instances. There is also a global specification, which 
contains declarations for types and constants that are shared among more than one 
process type, as well as assumptions about the global environment and critical 
requirements for the whole system. 

An ASTRAL process specification consists of a sequence of levels. Each level is 
an abstract data type view of the system being specified. The first („top level“) view 
is a very abstract model of what constitutes the process (types, constants, variables), 
what the process does (state transitions), and the critical requirements the process 
must meet (invariants and schedules). Lower levels are increasingly more detailed 
with the lowest level corresponding closely to high level code. Figure 1 shows one of 
the process types of an elevator control system. The Elevator_Button_Panel process 
represents the button panel located within an elevator car. 

The process being specified is thought of as being in various states, with one state 
differentiated from another by the values of its state variables, which can be changed 
only by means of state transitions. Transitions are described in terms of entry and 
exit assertions, where entry assertions describe the constraints that state variables 
must satisfy in order for the transition to fire, and exit assertions describe the 
constraints that are fulfilled by state variables after the transition has fired. Variables 
are changed atomically at the end of a transition’s execution with variables not 
referenced in the exit assertion remaining unchanged. An explicit non-null duration is 
associated with each transition. A transition is executed as soon as it is enabled (i.e. 
when its entry assertion is satisfied), assuming no other transition for that process 
instance is executing. In the Elevator_Button_Panel process, the clear_floor_request 
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transition is enabled when the elevator is currently stopped with its door opening at a 
floor that has been requested. 



PROCESS Elevator_Button_Panel 
IMPORT 

floor, request_dur, clear_dur, 
elevator, elevator.position, 
elevator.door_open, 
elevator.door_moving 
EXPORT 

floor_requested, request_floor 
VARIABLE 

floor_requested(floor): boolean 
INITIAL 

EORALL f: floor 

(~floor_requested(f)) 
TRANSITION request_floor(f: floor) 
ENTRY [TIME: request_dur] 
~floor_requested(f) 

EXIT 

floor_requested(f) 

Becomes TRUE 



TRANSITION clear_floor_request 
ENTRY [TIME: clear_dur] 

floor_requested(elevator.position) 

& ~elevator.door_open 
& elevator.door_moving 
EXIT 

floor_requested(elevator.position) 

Becomes FALSE 
INVARIANT 

EORALL f: floor 

( Change(floor_requested(f), now) 

& ~floor_requested(f) 

EXISTS t: time 

( Change2(floor_requested(f)) < t 
& t < now 

& past(elevator.position, t) = f 
& ~past(elevator.door_open, t) 

& past(elevator.door_moving, t))) 



Fig. 1. The Elevator_Button_Panel process 



Every process can export both state variables and transitions; as a consequence, 
the former are readable by other processes and the external environment while the 
latter are executable from the external environment. Interprocess communication is 
accomplished hy broadcasting the values of exported variables and the start and end 
times of exported transitions. In the Elevator_Button_Panel process, the 
floor_requested variable and the request_floor transition are exported. The position, 
door_open, and door_moving variables of the elevator process are imported. 

In addition to specifying system state (through process variables and constants) 
and system evolution (through transitions), an ASTRAL specification also defines 
system critical requirements and assumptions about the behavior of the environment 
that interacts with the system. The behavior of the environment is expressed by 
means of environment clauses, which describe assumptions about the pattern of 
invocation of external transitions. Critical requirements are expressed by means of 
invariants and schedules. Invariants represent requirements that must hold in every 
state reachable from the initial state, no matter what the behavior of the external 
environment is, while schedules represent additional properties that must be satisfied 
provided that the external environment behaves as assumed. 

The requirement and assumption clauses are expressed using a combination of 
first-order logic and ASTRAL-specific constructs. The main constructs are the timed 
operators used to express timing requirements. The start operator, Start(transl, tl), 
takes a transition transl and a time tl and returns true iff the last start of transl was at 
tl. Similarly, the end and call operators, End(transl, tl) and Call(transl, tl), return 
true iff the last end or the last call of transl was at tl. The change operator. 
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Change(A, t), takes an expression A and a time t and returns true iff the last time A 
changed value was at t. The past operator, past(A, t), takes an expression A and a 
time t and returns the value of A at t. In addition to these operators, a special global 
variable now is used to denote the current time, where the time domain is the 
nonnegative real numbers. 

Using these operators, a variety of complex properties can be expressed. For 
example, the invariant of the Elevator_Button_Panel process states that between a 
change to floor_requested(f) and a change back to ~floor_requested(f) for any floor f, 
the elevator has been at f and its door has started opening. An introduction and 
complete overview of the ASTRAL language can be found in [5]. For the complete 
description and specification of the elevator system, see [16]. 

Rather than implementing a theorem prover for ASTRAL from scratch, it was 
decided to take advantage of an existing general-purpose theorem prover adapted for 
use with ASTRAL. PVS was considered ideal for ASTRAL given its powerful typing 
system, higher-order facilities, heavily automated decision procedures, and ease of 
use. Other theorem pro vers were also considered, including HOL [12] and ACL2 
[15]. HOL does not have the usability of PVS and its decision procedures are not as 
powerful [11]. ACL2 is also not as usable as PVS and has limited or no support for 
arbitrary quantification and real numbers [20] . 

3 PVS 

The Prototype Verification System (PVS) [8] is a powerful interactive theorem prover 
based on typed higher-order logic. A PVS specification consists of a modular 
collection of theories, where a theory is defined by a set of type, constant, axiom, and 
theorem declarations. PVS has a very expressive typing language, which includes 
functions, arrays, sets, tuples, enumerated types, and predicate subtypes. Types may 
be interpreted or uninterpreted. Interpreted types are defined based on existing types, 
while uninterpreted types must be defined axiomatically. Predicate subtypes allow 
the expression of complex types that must satisfy a given constraint. Lor example, the 
even numbers can be defined „even_int: TYPL = [i: int I EXISTS (j: int): 2 * j = i}“. 

For any assignment or substitution that involves a predicate subtype, PVS 
generates type correctness conditions (TCCs), which are obligations that must be 
proved in order for the rest of the proof to be valid. For example, for the declaration 
„e_plus_2(e: even_int); even_int = e H- 2“, PVS generates the following TCC; 

% Subtype TCC generated (line 7) for e -l- 2 
e_plus_2_TCCl: OBLIGATION 

(FOR A LL (e: evenjnt): (EXISTS (j: int): 2 * j = e -t 2)); 

That is, it must be shown that adding two to an even number is still an even number. 
Otherwise, the definition of e_plus_2 violates its stated type. 

Like types, constants can either be interpreted or uninterpreted. The value of an 
interpreted constant is stated explicitly, whereas the value of an uninterpreted constant 
is defined axiomatically. Besides types and constants, a theory declaration contains 
axioms, which are basic „truths“ of the theory and theorems, which are hypotheses 
that are thought to be true, but that need to be proven with the prover. 

When the PVS prover is invoked on a theorem, the theorem is displayed in the 
form of a sequent. A sequent consists of a set of antecedents and a set of 
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consequents, where if Ai, A„ are antecedents and Ci, are consequents in the 

current sequent, then the current goal is (Ai & ... & A„) ^ (Ci I ... I Cm). It is the 
user’s job to direct PVS with prover commands such as instantiating quantifiers and 
introducing lemmas to show that either (1) there exists an i such that Ai is false, (2) 
there exists an i such that Ci is true, or (3) there exists a pair (i, j) such that Ai = Cj. 
PVS maintains a proof tree, which consists of all of the subgoals generated during a 
proof. Initially, when the prover is invoked on a theorem, the proof tree contains only 
the sequent form of that theorem. As the proof proceeds, subgoals may be generated 
and proved. To prove that a particular goal in the proof tree is true, all its subgoals 
must be proved true. PVS allows the user to define strategies, which are collections 
of prover commands that can be used to automate frequently occurring proof patterns. 

4 Encoding Issues 

While encoding ASTRAL within PVS, a number of issues arose that needed to be 
handled. Several of these issues are not exclusive to ASTRAL and occur in many 
different real-time specification languages. The following sections discuss some of 
these issues and how they were handled in the ASTRAL encoding. 

4.1 Formulas as Types 

In many real-time specification languages, a single formula may have multiple values 
depending on the temporal context in which it is evaluated. Depending on the 
language, the temporal context may be an explicit clock variable, or implicitly 
derivable from the formula. To encode such languages into a theorem prover, it is 
necessary to define formulas as types that can be evaluated in different contexts. 

Two different approaches have been used to encode formulas as types in PVS. In 
the TRIO to PVS encoding [1], an uninterpreted „TRIO_formula“ type is introduced 
to handle this issue. In TRIO, the current time is always implicit, but the values of 
formulas in the past and future can be obtained relative to the current time using the 
dist operator, dist(A, t), which takes a formula A and a relative time t and gives the 
value of A at t time units from the current time. In the TRIO encoding, the dist 
operator is defined as a function of type [[TRIO_formula, time] TRIO_formula] . 
Axioms are defined to transform elements of type TRIO_formula to other elements of 
type TRIO_formula. Eventually, there must be a valuation from TRIO_formulas to 
real-world values (i.e. booleans, integers, etc.) so that the decision procedures of PVS 
can be invoked. Hence a valuation function is defined that takes a TRIO_formula and 
produces the corresponding boolean value assuming an initial context of the current 
time instant. 

The Duration Calculus (DC) is another real-time language that has been encoded 
into PVS [18]. DC is an implicit-time interval temporal logic in which the current 
interval is not explicitly known. Rather than using uninterpreted types to define 
formulas, however, the DC encoding takes advantage of the higher-order capabilities 
of PVS and defines formulas as functions of type [Interval ^ bool]. DC operators are 
defined as Curried functions, which when given their original operands, return a 
function from an Interval to the original range of the operator. For example, the 
disjunction operator „V“ is defined as „V(A, B)(i); bool = A(i) OR B(i)“, where A and 
B are of the type [Interval ^ bool] and i is of type Interval. Using this technique, the 
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resulting functions can be combined normally, while still delaying the evaluation of 
the whole expression until a temporal context is given. Eventually, when a specific 
interval is given, an actual boolean value is obtained. 

For ASTRAL, the DC approach was chosen for several reasons. Since TRIO is an 
implicit-time temporal logic, one of the main motivations of the TRIO encoding was 
to keep the actual current time hidden. In ASTRAL, the current time can be explicitly 
referenced using the variable now, thus it was unnecessary to keep the time hidden. 
Another disadvantage of the TRIO encoding is that all of the axioms of first-order 
logic needed to be explicitly encoded into PVS to manipulate the TRIO_formula type. 
Using the DC encoding style, however, the built-in PVS framework could be utilized, 
which includes all first-order logic axioms. 

All ASTRAL operators have been defined as Curried functions from their operand 
domains to the type [time ^ range]. For example, the ASTRAL operator 
Start(transl, tl) takes a transition transl and a time tl and returns true iff the last start 
of transl was at tl. Its PVS counterpart. Start 1 (transl, atl) takes a transition transl 
and an operand atl of type [time ^ time] and returns a function of type [time ^ 
bool] such that when an evaluation time tl is given will return true iff the last start of 
transl at time tl was at time atl(tl). In the Startl definition, shown below, as well as 
the definitions of all ASTRAL operators that take a time operand, the time operand is 
itself of type [time ^ time] and is only evaluated after an evaluation context is 
provided. 

Startl(transl: transition, atl: [time — > time])(tl: (tl: time I atl(tl) < tl}): bool = 
Fired(transl, atl(tl)) AND 
(FOR A T .1. (t2): 

atl(tl) < t2 AND t2 < tl IMPLIES 
NOT Fired(transl, t2)) 

With the operators defined in this manner, it is possible to combine ASTRAL 
operators in standard ways and yet still produce an expression that will only be 
evaluated once its temporal context is given. The explicit operator definitions also 
allow all expressions translated from ASTRAL to PVS to be easily expanded and 
reduced via the built-in mechanisms of PVS. The resulting encoding is very close to 
the ASTRAL base logic with only slight syntactic differences and allows a specifier 
who is familiar with the ASTRAL language to easily read the PVS expressions of 
ASTRAL formulas. 

4.2 Partial Functions 

Some specification languages such as Z [19] allow the definition of partial functions 
(i.e. functions that are only well defined at certain points) within specifications. 
Unlike some other theorem pro vers, PVS does not support the use of partial functions 
directly. To encode languages that allow the definition of partial functions or whose 
operators themselves may be partial functions into PVS, alternative approaches must 
be used. In lieu of partial functions, PVS has a very powerful predicate subtyping 
system that allows functions to be declared with domains of only those elements 
satisfying a given predicate, such as only those elements for which a function is well 
defined. The user then proves TCC obligations that the operand of each function 
satisfies the given predicate. For a specific class of functions, such as boolean 
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functions, an alternative to predicate subtyping is to define a new domain that 
contains an additional undefined element and then modify the operators for that class 
of functions to use the new domain. For example, for boolean partial functions, a 
three-valued domain of {true, false, undefined} can be defined in PVS with boolean 
operators modified to work with the new domain. 

The partial functions in ASTRAL are the operators that take a time as an 
argument. In ASTRAL, only times in the past may be referenced, thus any formula 
that references a time beyond the value of now is undefined. In encoding these 
operators into PVS, the choice was made to use the subtyping mechanism of PVS for 
similar reasons as the choice to use the DC encoding style. Namely, it was preferable 
to rely on the existing PVS framework as much as possible. There were also a 
number of disadvantages to explicitly adding an undefined value and then modifying 
the appropriate operators. For instance, many additional axioms needed to be added 
to derive and manipulate expressions containing the undefined element. The main 
drawback, however, is that the ASTRAL past operator, past(A, t), which takes an 
expression A and a time t and returns the value of A at t, is a polymorphic function. 
That is, the past operator can have multiple types depending on the type of A. Since 
past takes a time, it is undefined when t is greater than now. Since A can be of any 
type, essentially every type in the specification and hence every operator in the 
language would need to be redefined using an undefined element. This was highly 
undesirable and would have unnecessarily complicated both the encoding and the 
resulting proofs. 

Instead, by using the PVS subtyping mechanism, the user must prove TCCs 
showing that the time operand of any timed operator used in a specification is less 
than or equal to the temporal context given to the operator. Most of these obligations 
will be trivial given that the time operands are usually based on now directly or on a 
quantified time variable that was appropriately limited. 

The definition of the Start 1 operator in the previous section demonstrates the use 
of the subtyping mechanism. The time operand of the Startl function, atl, is of type 
[time ^ time] and is only evaluated after an evaluation context is provided. Since it 
is not known whether atl(tl) will be a valid operand or not (i.e. will cause the 
expression to be undefined), tl is limited by the PVS typing system to be greater than 
or equal to atl(tl). It is then the user’s job to show via a TCC obligation that any 
evaluation times of a Startl expression occurring in a specification are permissible. 
The other timed operators of ASTRAL are defined in a similar manner. 

4.3 Noninterleaved Concurrency 

Concurrency in real-time systems can be represented by either an interleaved or a 
noninterleaved model. In an interleaved model, concurrent events occur sequentially 
between changes to time, while in a noninterleaved model, concurrent events occur 
simultaneously without an implied ordering. Timed state-machine languages that use 
an interleaved model of concurrency use an explicit „tick“ transition to change time. 
The combination of the implied ordering of interleaved concurrency and the use of a 
tick transition allows the semantics of interleaved timed state-machine languages to 
be simplified significantly over their noninterleaved counterparts because a system 
execution can be represented as a sequence of transitions rather than an interval of 
time in which one or more events occur or do not occur at each time. The proof 
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obligations for such languages are also correspondingly simplified since they can be 
inductive on the nth transition to fire rather than a full induction on a possibly dense 
time domain. 

In ASTRAL, the proof obligations are carried out modularly by proving the 
properties of each process individually and then proving global properties based on 
the collection of process properties. Although the sequence of transitions that fire in a 
particular process can be represented by an interleaved model since transition 
execution is nonoverlapping, this sequence is not enough to discharge the proof 
obligations of the process. Transition entry assertions and process properties can 
reference calls from the external environment, changes to the values of imported 
variables, and call/start/end times of imported transitions. These events can occur at 
any time with respect to the sequence of transitions in a particular process. Thus, the 
semantic representation of ASTRAL needs to handle multiple concurrent events as 
well as gaps in time in which no events occur, which requires a noninterleaved model 
of concurrency. 

The semantics of ASTRAL are based on the predicates Called and Fired. 
Called(trans 1 , tl) is true iff transition transl was called from the external environment 
at time tl. Fired(trans 1 , tl) is true iff transl fired at tl. Since a different transition 
may be executing on each process instance, each process instance has a separate Fired 
and Called predicate. In ASTRAL, a given process instance „knows“ its own 
execution history completely, but only knows the portion of the execution history of 
other process instances that pertains to the exported transitions of those instances. In 
the semantics, for a given process instance, the Fired and Called predicates of the 
process can be used to derive information about the state variables of the process and 
vice-versa. The predicates of other process instances, however, can only be used to 
derive a limited amount of information about those processes. Namely, if an imported 
transition ended, then it is known there was a corresponding start and similarly, if an 
imported transition started, then it was called. 

Two of the ten axioms of the ASTRAL axiomatization are shown below. The 
axiomatization of ASTRAL into PVS is a much revised and expanded version of the 
ASTRAL axiomatization of [7] and includes corrections for both soundness and 
completeness. The full version of the semantics presented in this paper defines the 
current formal semantics of the ASTRAL language. The trans_fire axiom states that 
if some transition is enabled and the process is idle (i.e. no transition in the middle of 
execution), then some transition fires. The trans_mutex axiom states that whenever a 
transition fires, no other transition can fire until its duration has elapsed (i.e. until the 
transition ends). This axiom combined with trans_fire is sufficient to show that a 
single unique transition fires on a particular process instance when some transition is 
enabled and the process is idle. Note that since the semantics cannot be represented 
by a sequence of transitions as in an interleaved model, it is necessary to assure that a 
process is actually idle in order for a transition to fire. 
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trans_fire: AXIOM 
(FOR APT, (tl): 

(EXISTS (transl): 

Enabled(transl, tl)) AND 
(EORALL (trans2, t2): 

tl - Duration(trans2) < t2 AND 
t2 < tl IMPLIES 

NOT Eired(trans2, t2)) IMPLIES 
(EXISTS (transl): 

Eired(transl, tl))) 



trans_mutex: AXIOM 

(EORALL (transl, tl): 

Eired(transl, tl) IMPLIES 
(EORALL (trans2): 

trans2 -t transl IMPLIES 

NOT Eired(trans2, tl)) AND 
(EORALL (trans2, t2): 
tl < t2 AND 

t2 < tl -I- Duration(transl) IMPLIES 
NOT Eired(trans2, t2))) 



Since ASTRAL is based on noninterleaved concurrency, the intra-level proof 
obligations [7] (i.e. the proof obligations necessary to show that the invariant and 
schedule of a level hold) are inductive on ASTRAL’ s time domain. Since the time 
domain of ASTRAL is the nonnegative real numbers, however, and simple induction 
on that domain is not valid, the induction must be performed on nonempty intervals of 
the nonnegative reals. That is, the induction hypothesis is assumed up to some 
arbitrary time TO and the user must show that it holds for a constant length of time A 
> 0 afterwards. The induction case of the invariant proof obligation is shown below. 

invariant_induct: THEOREM 

(EORALL (Tl): Tl < TO IMPLIES Invariant(Tl)) IMPLIES 

(EORALL (Tl): TO < Tl AND Tl < TO A IMPLIES Invariant(Tl)) 

For the induction to be reasonable, A must be bounded because the bigger A 
becomes, the more difficult it is to prove that the property holds at the times close to 
the upper bound TO H- A. This is because at those times, more and more time has 
elapsed since the last known state of the system (i.e. when the inductive hypothesis 
held). In translating the proof obligations into PVS, it was not possible to say that A 
is „as small as possible". Instead, an explicit upper bound needed to be chosen to 
restrict A. The upper bound chosen for the ASTRAL encoding was a value less than 
the smallest transition duration. That is, the conjunct „(FORALL (transl: transition): 
A < Duration(transl))“ was added to the proof obligation above. 

This bound is satisfactory for a number of reasons. The main justification is that 
with A bounded by the smallest duration, only a single transition can fire or complete 
execution within the proof interval. This is advantageous because if only a single 
transition can end, then the state variables can only change once within the interval. 
Additionally, if a transition did end within the interval, then the inductive hypothesis 
held when the transition began firing. These qualities are useful for automating the 
proofs of certain types of properties as will be shown in section 6.1. 



5 PVS Library and Translator 

The axiomatization and operator definitions discussed in section 4 have been 
incorporated into an ASTRAL-PVS library. The library contains the specification- 
independent core of the ASTRAL language. In the axiomatization and operators, 
some of the theories are parameterized by type and function constants. For example, 
to define the trans_fire axiom, the type „transition“ and the function „Duration“ need 
to be supplied to the axiomatization. In order to use the axiomatization, the 
appropriate types and functions must be defined based on the specification to be 
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verified. An ASTRAL to PVS translator has been developed to automatically 
construct all the appropriate definitions. 

The major obstacle in translating ASTRAL specifications is translating identifiers 
with types involving lists and structures. In ASTRAL, it is possible to define 
arbitrary combinations of structures and lists as types, thus references to variables of 
these types can become quite complex. For example, consider the following type 
declarations: „listl: list of integer" and „structl: structure of (l_one(integer): listl)“. 
If si is a variable of type structl, valid uses of si would include si by itself, 
sl[l_one(5)], and sl[l_one(5)][9]. The translation of expressions such as these must 
result in a Curried time function, so that it can be used with the definitions of the 
Curried boolean and arithmetic operators. The expression in each bracket can be 
time-dependent, so it is necessary to define the translation such that an evaluation 
context (i.e. time) given to the expression as a whole is propagated to all expressions 
in brackets. 

In the translation of this example, si is a function of type [time ^ structl] and 
structl is a record [# l_one: [integer ^ listl] #]. The expression „sl[l_one(5)][9]“, 
becomes „(X(T1: time): nth(((X(Tl: time): l_one((sl)(Tl)) ((const(5))(Tl))))(Tl), 
(const(9))(Tl)))“. The lambdas are added to propagate the temporal context given to 
the formula as a whole. Although the lambda expression generated for si looks very 
difficult to decipher, translated expressions will never actually be used in this „raw“ 
form. In the proof obligations, a translated expression is always evaluated in some 
context before being used. Once this evaluation occurs, all the lambdas drop out and 
the expression is simplified to a combination of variables and predicates. For 
example, the expression above evaluated at time t becomes „nth(l_one((sl)(t))(5), 9)“. 
First, the value of the variable si is evaluated at time t. Then, the record member 
l_one is obtained from the resulting record. This member is parameterized, so it is 
given a parameter of 5. Finally, element 9 of the resulting list is obtained. 

For the full details of the axiomatization of the ASTRAL abstract machine, the 
operator definitions, and the ASTRAL to PVS translator, see [16]. 

6 Proof Assistance and Automation 

After a specification is translated, the user must prove the inductive proof obligations 
discussed in section 4.3. In general, the proof obligations are undecidable so they 
require a fair amount of interaction with the prover. For timed properties, this 
interaction usually consists of setting up the sequences of transitions that are possible 
within the prover, proving that each sequence is indeed possible, and then showing 
that the time of the sequence is less than the required time. Portions of these proofs 
can be automated with appropriate PVS strategies [16], but the user must still direct 
PVS during much of the reasoning. There are some property types, however, that can 
oftentimes be proven fully automatically by PVS. After performing the proofs of 
several systems using the encoding, PVS strategies have been developed to assist the 
user in proving these types of properties. 
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6.1 Untimed Formulas 

The try-untimed strategy was written to attempt the proofs of properties that do not 
involve time and only deal with combinations of state variables of a single process 
instance. For example, in the Elevator process type, one such property in the 
invariant section is „elevator_moving ^ ~door_moving“. That is, whenever the 
elevator car is moving, the elevator door should not be in the process of opening or 
closing. This property was proved completely unassisted by the try-untimed strategy. 

The basis of the try-untimed strategy is that in the interval TO to TO H- A of the 
proof obligations, the state variables either stay the same or one or more of them 
change. If the variables stay the same, then by the inductive hypothesis, the property 
holds at all times in the interval. If a variable changes during the interval, then by the 
semantics of ASTRAL, a transition ended at the time of the change. Furthermore, 
since transitions are nonoverlapping and, as discussed, A has been limited to a 
constant less than the duration of any transition, only a single transition end can occur 
within the interval. Figure 2 depicts this situation. Let T1 be the time of such an end. 
Since no transition ended in the interval [TO, Tl), the state variables must have stayed 
the same during that time period, thus the property holds by the inductive hypothesis. 
Similarly, since no transition ended in the interval (Tl, TO + A], the variables are 
unchanged in that region, thus the property holds in that region if it holds at Tl. The 
bulk of the strategy is thus devoted to proving that the property holds at Tl. 

TO TO -h A 

invariant holds proof interval 

i H — i 1 

Tl - Duration(transl) * ' Tl 



Start(transl) End(transl) 

Fig. 2. Proof interval 

To prove this, it must be shown that all transition exit assertions preserve the 
property, thus the proof is split into a case for each transition and the transition’s entry 
and exit clauses are asserted. Once again, since A was limited to less than the 
duration of any transition, the start of the transition occurred before TO, thus the 
property held at the start of the transition. From this point, a modified version of the 
PVS grind command, which is a heavy-duty decision procedure that performs 
rewriting, skolemization, and automatic quantifier instantiation, is invoked to finish 
the proof. Grind in unmodified form rewrites all definitions in a specification. The 
modified version does not rewrite the timed ASTRAL operators, since it is unlikely 
that the decision procedures could use the information efficiently, thus expanding the 
operators would only increase the running time of the strategy. 

A side benefit of the try-untimed strategy is that even when it fails, it is still 
advantageous for the user to run it because usually only very difficult cases will be 
left for the user to prove. When the strategy fails, it is due to one of three reasons. 
The first reason is that the user invoked the strategy on a timed property or one that 
involves imported variables. In this case, it is likely that most of the cases will fail, 
since try-untimed was not intended to deal with these types of properties. The second 
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reason is that one or more transitions do not preserve the property. In this case, the 
user knows the exact transitions that failed since PVS will require further interaction 
to complete those cases. The user can correct the specification before continuing with 
other proofs. The last reason, which will be the most likely, is that it failed because 
there was not enough information in the entry assertion of a transition to prove the 
property. Usually, this occurs when the value of a variable in the formula to be 
proved is not explicitly stated in the entry assertion of the transition, but instead is 
implied by the sequences preceding that particular transition. For example, consider 
the elevator property „elevator_moving ^ ~door_open“. That is, the door must be 
closed while the elevator car is moving. After running the try-untimed strategy, all 
the transition cases are proved except for the „door_stop“ case. The door_stop 
transition, shown below, stops the door in either the open or closed position after a 
suitable length of time from when the door started moving. 

TRANSITION door_stop 

ENTRY [TIME: door_stop_dur] 
door_moving 

& now - t_move_door > Change(door_moving) 

EXIT 

~door_moving 

& door_open = ~door_open' 

The strategy fails for this case because it is possible for door_open to be set to true 
in the exit assertion and yet the value of elevator_moving is not stated in the entry 
assertion so can possibly be true if door_stop follows a transition in which 
elevator_moving is true. If elevator_moving is true and door_open is false when 
door_stop begins firing, then the formula will hold at the start of execution yet will 
not hold at the end of execution. In order to complete the proof of this property, it is 
necessary to consider the transitions that can fire immediately before door_stop. If 
the proof still cannot be completed, transitions must be considered further and further 
back in time. Eventually, the formula will be provable or a violation will occur. 

6.2 Transition Sequence Generator 

Since sequencing is so important to proving some properties, it is useful to provide 
the user with a tool to view the transition sequences that can occur in a given process 
type. Such a tool can be used to estimate time delays between states, help the user 
visualize the operation of the system, and in some cases can be used to prove simple 
system properties. Unlike graphical state-machine languages in which the successor 
information is part of the specification, in textual languages such as ASTRAL, 
sequencing cannot be determined without more in-depth analysis. In addition, 
determining whether one transition is the successor of another in ASTRAL is 
undecidable since transition entry/exit assertions may be arbitrary first-order logic 
expressions. Many successors, however, can be eliminated based only on the simpler 
portions of the entry/exit assertions, such as boolean and enumerated variables. 
Based on this fact, a transition sequence generator tool has been developed. 

The sequence generator first eliminates as many transition successors as possible. 
This is done by attempting the proof of an obligation transl_not_trans2 for each pair 
of transitions (transl, trans2) as shown below. Note that this obligation only states 
that some transition must end between transl and trans2 and does not exclude transl 
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or trans2 from firing. The obligation is sufficient, however, to prove that a transition 
besides transl and trans2 must fire in between any firing of transl and trans2. If only 
transl and trans2 fire in between tl and t2, then since t2 - tl is finite and the durations 
of transl and trans2 are constant and non-null, eventually a contradiction can be 
achieved by applying the theorem below repeatedly on an ever shortening interval. 

transl_not_trans2: THEOREM initial not transl: THEOREM 

(EORALL (tl, t2): 

tl -I- Duration(transl) < t2 AND 
Eired(transl, tl) AND 
Eired(trans2, t2) IMPLIES 
(EXISTS (trans3, t3): 
tl -I- Duration(transl) < 

t3 -I- Duration(trans3) AND 
t3 -I- Duration(trans3) < t2 AND 
Eired(trans3, t3)))) 

An obligation initial_not_trans 1 , as shown above, is also attempted to prove that 
each transition is not the first to fire after the initial state. The PVS strategies try-seq- 
gen and try-seq-gen-0 were written to automatically discharge these obligations. The 
try-seq-gen strategy uses abstract machine axioms to introduce the entry and exit 
assertions of transl, the entry assertion of trans2, and the fact that if nothing ended 
between the end of transl and the start of trans2, then all variable values remained 
constant during this time. Once all of this information is present, the strategy invokes 
the modified grind command as discussed for the try-untimed strategy. The try-seq- 
gen-0 strategy is similar but uses the initial clause of the process in place of the 
information about trans 1 . 

Table 1 shows the results of using these strategies to compute the successors for 
each process type of a set of testbed systems developed in [16], which includes the 
elevator control system. For each process type, the table shows the maximum number 
of successors, the number of successors that are provably possible, and the number 
that were computed automatically using the try-seq-gen strategies. 

There are two main factors that contribute to the difference between the number of 
successors that are provably possible and the number computed by the try-seq-gen 
strategies in the testbed systems. The first factor is that entry assertions do not 
usually constrain all of the state variables of a process. For example, the entry 
assertion of the door_stop transition, shown in section 6.1, constrains the value of 
door_moving, but does not constrain the value of elevator_moving. 

When proving that the arrive transition, shown below, cannot follow door_stop, 
PVS does not have information about the value of elevator_moving at the start of 
door_stop, which is only derivable from the transitions preceding door_stop. Thus, 
PVS must assume an arbitrary symbolic value for elevator_moving. It is possible that 
elevator_moving is true, thus PVS cannot eliminate the possibility that arrive 
immediately follows door_stop. It is provable that this is not the case, however, 
because it is not possible to find a sequence of transitions starting from the initial state 
in which arrive can immediately follow door_stop. The only possible predecessors to 
door_stop are open_door and close_door. Open_door sets elevator_moving to false in 
its exit assertion, thus if open_door immediately precedes door_stop, arrive cannot 
follow door_stop. Similarly, it is possible to show that close_door must be preceded 



(EORALL (tl): 

Eired(transl, tl) IMPLIES 
(EXISTS (trans2, t2): 

t2 -I- Duration(trans2) < tl AND 
Eired(trans2,t2))) 




328 



Paul Z. Kolano 



by door_stop, which is preceded hy open_door. Thus, arrive cannot follow 
door_stop. 

TRANSITION arrive 

ENTRY [TIME: arrive_dur] 
elevator_moving 
& EORALL t: time 
( t < now 

& ( End(move_down, t) 

I End(move_up, t)) 

— > now - t_move > t) 

& EORALL t, tl: time 
( t < now 
& End(arrive, t) 

& ( End(move_up, tl) 

I End(move_down, tl)) 

^ t<tl) 

EXIT 

IE going_up' 

THEN position = position' + 1 
ELSE position = position' - 1 
El 



In order to improve the accuracy of the sequence generator for these processes, it 
would he necessary to examine sequences back to a transition that causes a 
contradiction. This is a non-terminating procedure, however, whenever the second 
transition of a successor obligation actually is a successor of the first, thus it is 
necessary to specify termination conditions such as a specific number of transitions 
into the past or similar criteria. In general, this procedure is not worth the additional 
time it would require unless the number of successors that could he eliminated using a 
small number of backward steps is significantly higher than the number of actual 
successors. As an alternative, the user can fully constrain all of the state variables in 
the entry assertions. 

The second factor that contributes to the difference between the number of 
provable successors and the number computed by the try-seq-gen strategies is the use 
of timed operators to define the sequencing between different operations. For 
example, the end operator is used in the arrive transition to prevent arrive from 
following itself. In the proof of the successor obligation arrive_not_arrive, arrive 
fires at tl and t2 and no other transition fires in between. By the last conjunct of 
arrive’ s entry assertion, there must be an end to move_up or move_down between the 
last time arrive ended (tl + arrive_dur) and the next time it fires (t2), which 
contradicts the fact that no transition fires in between tl and t2. This proof cannot be 
carried out without the use of the end operator. The definition of the end operator 
within PVS, however, is quite complex with several quantifiers, thus there is little 
hope that PVS could automatically prove such an obligation. For this reason, the 
modified grind used in the try-seq-gen strategies does not expand any of the timed 
operators, which prevents work from being wasted. 
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Table 1. Transition successors of testbed systems 



System 


Process Type 


maximum 


actual 


computed 






successors 


successors 


successors 


Bakery Algorithm 


Proc 


42 


8 


25 


Cmise Control 


Accelerometer 


2 


2 


2 




Speed_Control 


132 


76 


94 




Speedometer 


2 


2 


2 




Tire_Sensor 


2 


2 


2 


Elevator 


Elevator 


42 


13 


24 






6 


4 


4 




Eloor_Button_Panel 


20 


14 


14 


Olympic Boxing 


Judge 


2 


2 


2 




Tabulate 


12 


4 


6 




Timer 


6 


3 


3 


Phone 


Central_Control 


420 


235 


312 




Phone 


no 


50 


69 


Production Cell 


P_Crane 


156 


13 


36 




P_Deposit 


6 


3 


3 




P_Deposit_Sensor 


6 


3 


3 




P_Eeed 


20 


14 


14 




P_Eeed_Sensor 


6 


3 


3 




P_Press 


42 


7 


7 




P_Robot 


420 


21 


129 




P_Table 


72 


9 


21 


Railroad Crossing 


Gate 


20 


7 


7 




Sensor 


6 


3 


3 


Stoplight 


Controller 


420 


84 


198 




Sensor 


6 


3 


3 


Total 




1978 


585 


986 



When a transition is parameterized, such as the request_floor transition of the 
Elevator_Button_Panel process shown in section 2, each set of parameters represents 
one possible choice that a process can make. Usually, the start of a transition with 
one set of parameters does not preclude the start of the same transition with a different 
set of parameters immediately afterward. Thus, the sequences generated for 
parameterized transitions do not usually give any helpful information to the user since 
essentially any transition can follow any other. 

Since the standard sequence generator proof obligations do not ordinarily produce 
a useful result for parameterized transitions, a parameterized extension has been 
added to the sequence generator. In this extension, if two transitions have the same 
parameter list (i.e. the same number of parameters and parameter types), the successor 
proof obligations are attempted assuming that the parameters are the same. That is, 
the sequences are generated with a fixed set of parameters among consecutive 
transitions. This is useful for finding the sequence of transitions in a single „thread“. 
For example, by keeping the parameters fixed in the Central_Control process of the 
phone system of [5], the sequences of transitions that make up the evolution of a call 
for a particular phone can be computed. The numbers in Table 1 were computed 
using the parameterized extension. The numbers for the Elevator_Button_Panel, 
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Central_Control, and Controller processes are the only processes affected by this 
extension. 

After the successors have been computed, the sequence generator constructs 
transition sequences based on input from the user, which includes the first and last 
transitions, the direction to generate sequences from the first transition, the maximum 
number of transitions per sequence, and the maximum number of sequences. There is 
also an option to disallow sequences in which the same transition appears more than 
once (besides as the first or last transition). The user must provide the maximum 
number of transitions per sequence and if the search is backward, must provide the 
first transition. The sequence generation process is completely automatic and is 
available as a component of the ASTRAL Software Development Environment (SDE) 
[17]. The ASTRAL SDE constructs the sequence generator obligations, invokes 
PVS, runs the proof scripts, retrieves the results, and then generates the sequences 
according to the user query. Since running the proof scripts can be time-consuming, 
the results are saved between changes to the specification, so that sequences from 
previous proof attempts can be quickly displayed. 

Eor each sequence generated, an approximate running time of the sequence is 
constructed by analyzing the entry assertion of each transition. Entry assertions 
depend on the values of local and imported variables, the call/start/end times of local 
and imported transitions, and the current time in the system. Transitions that only 
depend on local variables and/or the start/end times of local transitions will always 
fire immediately after another transition. Transitions that reference the current time, 
however, may be delayed some amount of time before firing. Eor example, the 
door_stop transition, shown in section 6.1, fires at least t_move_door after the door 
starts moving. Similarly, transitions may wait indefinitely for a change to an 
imported variable, a call/start/end to an imported transition, or a call to a local 
transition from the external environment. The three types of delays are denoted 
delay _T for a time delay, delay _0 for a delay because of the other processes in the 
system, and delay _E for a delay due to the external environment. 

The sequence generator is complete (i.e. if a sequence is possible it will appear as 
a result) without the parameterized extension since the successor obligations are 
performed using the PVS encoding, which will only eliminate a successor if it is 
derivable that it cannot occur. The sequence generator is not complete with the 
parameterized extension because it does not display any sequences in which two 
parameterized transitions with the same parameter lists are given different parameters. 
In this case, utility was chosen over completeness. 

The accuracy of the sequence generator can be improved by manually performing 
the proofs of those successor obligations that actually can be proved but could not be 
automatically proved by the try-seq-gen strategies. The time used to run the proof 
scripts or to refine the performance of the sequence generator is not wasted because 
any successor eliminated can be used as a lemma in the main proof obligations. 

As a simple example of a sequence generator query, consider the door_stop case 
that failed in the try-untimed proof of „elevator_moving ^ ~door_open“ in section 
6. 1 . The user may wish to view the predecessors to door_stop to see if the proof can 
be completed quickly or if a violation is possible involving the door_stop transition. 
Eigure 3 shows the sequence generator dialog box and the second of the three 
sequences generated from the query. 
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Fig 3. Sequence generator dialog box and query result 



Three sequences are returned to the user, which show three possible predecessors to 
door_stop: close_door, open_door, and arrive. If close_door fires before door_stop, 
the door is closed when door_stop completes firing, thus the property trivially holds. 
The open_door transition sets elevator_moving to false, thus the property also 
trivially holds if open_door fires before door_stop. The arrive transition, shown 
earlier, requires the elevator car to be moving to fire. By the inductive hypothesis, the 
door is closed when it fires, thus if arrive precedes door_stop, the invariant can be 
violated because the elevator car is moving and door_stop sets door_open to true. 
Therefore, the user knows that to complete the proof, it must be shown that arrive 
cannot fire immediately before door_stop. The arrive case is another example of a 
successor that the sequence generator could not eliminate automatically and yet is not 
actually possible after further analysis. Thus, the user must consider the predecessors 
of arrive and continue the proof process in a similar manner until the property is 
proved. Additional uses of the transition sequence generator can be found in [16]. 



7 Related Work 

The temporal logics TRIO [1] and DC [18] have been encoded into PVS as discussed 
in section 4.1. TRIO is a lower-level formalism than ASTRAL and DC is not as 
expressive. Several real-time state machine languages have also been encoded into 
theorem provers. The Timed Automata Model has been encoded into PVS [2] and 
Timed Transition Systems into HOL [13]. These languages are based on interleaved 
concurrency, however, which makes their semantics simpler than those of ASTRAL. 
Additionally, Timed Transition Systems are not defined in terms of arbitrary first- 
order logic expressions and do not have the complex subtyping mechanisms that are 
available in ASTRAL. 

An encoding of ASTRAL into PVS was reported in [3] and [4], but this encoding 
is based on a definition of ASTRAL that has been developed independently at Delft 
University based on earlier ASTRAL work in [9] and [10]. The ASTRAL definition 
in [9] and [10] did not include the notion of an external environment, thus did not 
include the call operator, environmental assumptions, or schedules. The Delft 
definition has diverged from the work reported in [5] and [7] and has essentially 
become a different language. It includes only a small subset of the full set of 
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ASTRAL operators and typing options, does not include all of the sections of an 
ASTRAL specification, and defines only a small fraction of the axiomatization of the 
ASTRAL abstract machine. In addition, it is based on a discrete time domain and 
proofs are performed with a global view of the system rather than using a modular 
approach. 

8 Conclusions and Future Work 

This paper has discussed the adaptation of the PVS theorem prover for performing 
analysis of real-time systems written in the ASTRAL formal specification language. 
A number of issues were encountered during the encoding of ASTRAL that are 
relevant to the encoding of many real-time specification languages. These issues 
were presented as well as how they were handled in the ASTRAL encoding. A 
translator has been written that translates any ASTRAL specification into its 
corresponding PVS encoding. After performing the proofs of several systems using 
the encoding, PVS strategies have been developed to automate the proofs of certain 
types of properties. In addition, the encoding has been used as the basis for a 
transition sequence generator tool. 

A number of issues still need to be addressed in future work. The implementation 
clause of ASTRAL, which is used to map relationships between upper and lower level 
specifications, needs to be incorporated into the translator, as well as the inter-level 
proof obligations used to show that an implementation is consistent with the level 
above. Currently, the refinement mechanism described in [6] is in a transitional 
phase, so its translation was postponed until the new refinement mechanism is in 
place. 

A number of enhancements to the sequence generator can be added. For instance, 
it is useful to provide a more powerful interface. For example, a query interface could 
be added to answer queries such as whether a given transition can ever occur between 
two other specified transitions. It is also possible to construct a symbolic expression 
for the values of the state variables at the end of each sequence by examining the 
entry and exit assertions of each transition. 

In general, more proofs need to be performed for different ASTRAL systems 
using their PVS translations. In studying the proofs performed for many systems, 
more proof patterns may be discovered that can be incorporated into suitable PVS 
strategies. The patterns may also lead to the definition of useful lemmas that can be 
proven in advance and added to the ASTRAL-PVS library for future use. It is also 
worthwhile to investigate whether the structure of the ASTRAL specification 
determines which lemmas and strategies are most applicable to a given formula type. 
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Abstract. We address the issue of modelling a simple timeout in timed 
automata. We argue that expression of the timeout in the UPPAAL 
timed automata model is unsatisfactory. Specifically, the solutions we 
explore either allow timelocks or are prohibitively complex. In response 
we consider timed automata with deadlines which have the property that 
timelocks cannot be created when composing automata in parallel. We 
explore a number of different options for reformulating the timeout in 
this framework and then we relate them. 



1 Introduction 

A timeout is perhaps the most basic and widely arising specification structure in 
real-time systems. For example, they arise frequently when modelling commu- 
nication protocols and work on enhancing “first generation” specification tech- 
niques with real-time has frequently been directly motivated by the desire to 
model timeouts in communication protocols . 

From within the canon of timed specification notations, timed automata ^ 
are certainly one of the most important. One reason for this is that powerful 
real-time model checking techniques have been developed for timed automata, 
as exemplified by the tools, UPPAAL 0, Kronos 0 and HyTech 0. 

However satisfactorily modelling timeout structures proves surprisingly diffi- 
cult in timed automata. Broadly, problems arise because it is difficult to define 
timeout behaviour in a manner that avoids the possibility of timelocks. By way 
of clarification: 

we say that a system is timelocked if it has reached a state from which 
no path can be found to a time passing transition. 

Timelocks are highly degenerate situations because they yield a global blockage 
of the systems evolution. For example, if a completely independent component 
is composed in parallel with a system that is timelocked, then the entire com- 
position will inherit the timelock. This is quite different from a classic (local) 
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deadlock, which cannot affect the evolution of an independent process. These 
characteristics of timelocks will be illustrated in section |21 

This paper addresses the issue of how to model timeouts without generat- 
ing timelocks. We illustrate how the difficulty arises in current timed automata 
models and then we consider a new timed automata model - Timed Automata 
with Deadlines (TADs) - which guarantee timelock free parallel composition 
of automata components. 

We begin (in section 0 by presenting background material - we introduce 
timed automata, discuss the nature of timelocks and outline the timeout be- 
haviour that we require. These requirements have been identified during practi- 
cal study of the specification and verification of a lip-synchronisation algorithm 
p). Then (in section E|) we discuss possible ways to model the timeout in timed 
automata. As a typical timed automata model we choose the UPPAAL |2| nota- 
tion. This is one of the most important timed automata approaches. We argue 
that none of the legal UPPAAL approaches are completely satisfactory. In par- 
ticular, avoiding the possibility of timelocks is difficult and leads to prohibitively 
complex solutions. 

In response, (in section mi we consider how the same timeout behaviour can 
be modelled in Timed Automata with Deadlines 0. However, it turns out that 
the standard TADs approach, as presented in P| , resolves the timelock problem, 
but introduces a new difficulty which is related to the generation of escape 
transitions. Consequently, we consider a number of different TAD formulations 
in sectional which resolve these difficulties in contrasting ways. Finally, in section 
Elwe relate these solutions and present a concluding discussion. 

2 Background 

2.1 Timed Automata 

We briefly review some basic timed automata notation. 

— A is the set of completed (or basic) actions. 

— A = { a?, a! I a e A } is the set of uncompleted actions. These give a simple 
CCS style HOI point-to-point communication which has also been adopted 
in UP^AL. 

— A+ = A U A is the set of all actions. 

— We use a complementation notation over elements of A"*", 



a = a if o G A 


(1) 


b? = b\ 


(2) 


U = bl 


(3) 



In addition, we let v, v' etc, range over vectors of processes, which are written, 
< l \, ..., In >, |f I denotes the length of the vector, we use a substitution notation 
as follows: < h, ...,lj, ...,ln > [i/ij] =< h, ■■■Jn > and we write 

v[ii/hW 2 /h]---[lm/^m] as vH^/lijyh, ■■■,1'ni/lm]- We assume the a finite set: C 
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of clocks which range over E+ and CC is a set of clock constraint^ An arbitrary 
element of A, the set of all timed automata, has the form: 



{LJo,T,P) 



where, 

— L is a finite set of locations (these appear as small circles in our timed 
automata diagrams, e.g. see figure QJ; 

— lo is a, designated start location] 

— T C L X CC X A+ X P(C) X L is a transition relation (where P(S') denotes 
the powerset of S). A typical element of T would be, (/i, g, a, r, ^2), where 
I1J2 & L are automata locations; g G CC is a guard; a G A+ labels the 
transition; and r G P(C) is a reset set. (Zi, g, a, r, I2) G T is typically written, 
l\ > I2, stating that the automata can evolve from location li to I2 if the 
(clock) guard g holds and in the process action a will be performed and all 
the clocks in r will be set to zero. When we depict timed automata, we write 
the action label first, then the guard and then the reset set, see e.g. figure 
E] Guards that are true or resets that are empty are often left blank. 

— P : L — > CC is a function which associates a progress condition (often 
called an invariant) with every location. Intuitively, an automata can only 
stay in a state while its progress condition is satisfied. Progress conditions 
are shown adjacent to states in our depictions, see e.g. figure 13 

Timed automata are interpreted over time/action transition systems which 
are triples, {S,sq,^), where, 

— S' is set of states; 

— So is a start state; 

— — >C S X Lab X S is a transition relation, where Lab = A+ U E+. Thus, 
transitions can be of one of two types: action transitions^ e.g. (si,a, S2), 
where a G A~^ and time passing transitions^ e.g. (si,x, S2), where x G E“'' 
and denotes the passage of x time units. Transitions are written: 

Si S2 respectively si S2 

A clock valuation is a mapping from clock variables C to E"*" . For a clock 
valuation u and a delay d, it 0 d is the clock valuation such that (ii 0 d) (a;) = 
u{x) + d for all a; G C. For a reset set r, we use r{u) to denote the clock valuation 
It' such that u'{x) — 0 whenever x G r and u'{x) = u(x) otherwise, uq is the 
clock valuation that assigns all clocks to the value zero. 

The semantics of a timed automaton A = {L, Zq, T, P) is a time/action tran- 
sition system, (5, sq, — >), where S is the set of all pairs < l,u> such that Z G L 



^ The form that such constraints can take is typically limited, however since we are 
not considering verification this is not an issue for us. 
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and M is a clock valuation, sq =< lo>uo > and ^ is given by the following 
inference rules:- 

g(u) Vd' < d.P{l){u(Bd') 

<l,u> -2-4 < r, r{u) > <l,u> <r,u®d> 



We assume our system is described as a network of timed automata. These 
are modelled by a process vectoiQ denoted, || < Ai,...,An >■ If Vi(l < i < 
n) . Ai = Pi) then the product automaton, which characterises the 

behaviour of || < Ai, ..■,An > is given by. 



(LP,lP,TP,PP) 

where PP = {\\v\v £ Li x ... x Ln}, Iq = \\ < h^, ln,o >, TP is as defined by 
the following two inference rules and P^(|| < In >) = Pi{h) A ... A 



7 gi,a:,ri . ii i 






3i Agj.g.riUrj- 






k - 2’°’ - > I'i aG A 

Wv^^Hiyu] 



where 1 < t, j < |u|, i yf j. 



2.2 Timelocks 

We can formulate the notion of a timelock in terms of a testing process. Con- 
sider, if we take our system which we denote System and compose it completely 
independently in parallel with the timed automaton. Tester, shown in figure 
where the zzz action is independent of all actions in the system. Then for any 
x€ jf composition I I <Tester(x) ,System> cannot perform zzz then the 
system contains a timelock at time x. 

This last illustration indicates why timelocks represent such degenerate sit- 
uations - even though the Tester is in all respects independent of the system, 
e.g. it could be that Tester is executed on the Moon and System is executed 
on Earth without any co-operation, the fact that the system cannot pass time 
prevents the tester from passing time as well. Thus, time really does stop and it 
stops everywhere because of a degenerate piece of local behaviour. 

This is a much more serious fault than a classical (local) deadlock. For ex- 
ample, the automaton Stop, also shown in figure ^ generates a local deadlock, 
however, it cannot prevent an independent process from evolving. In the sequel 
we will use the term local deadlock to denote such a non-timeblocking deadlock. 

We consider two varieties of timelock which we illustrate by example, see 
figure El 

^ Although our notation is slightly different, our networks are a straightforward sim- 
plification of those used in UPPAAL. The simplifications arise because we do not 
consider the full functionality of UPPAAL. For example, we do not consider com- 
mitted locations or data variables. 



338 



Howard Bowman 



Tester(y) 



zzz 

t==y 






Fig. 1. A tester and a (locally) deadlocked timed automata 



1. The first is Systeml; this is a zeno process which performs an infinite number 
of aaa actions at time zero. This system is time locked at time zero and if we 
compose it independetly in parallel with any other system, the composite 
system will not be able to pass time. We call such timelocks zeno timelocks. 

2. The second is the network I I <System2 , System3>; this composition contains 
a timelock at time 2, which arises because System2 must have performed 
(and thus, synchronised on) action aaa by the time t reaches 2 while SystemS 
does not start offering aaa until t has past 2. Technically the timelock is 
due to the fact that at time 2 System2 only offers the action transition 
aaa and importantly, it does not offer a time passing transition. Since the 
synchronisation cannot be fulfilled the system cannot evolve to a point at 
which it can pass time. We call such timelocks composition timelocks. 

The interesting difference between these two varieties of timelock is that 
the first one locks time, but in the classical sense of untimed systems, is not 
deadlocked, since actions can always be performed. However, the second reaches 
a state in which neither time passing or action transitions are possible. Such 
composition timelocks are the variety we will address in this paper. 

2.3 A Bounded Timeout 

We describe a rather standard timeout behaviour, which we call a Bounded Time- 
out. The general scenario is that a Timeout process is monitoring a Component 
and the timeout should expire and enter an error state if the Component does 
not offer a particular action, which we call good, within a certain period of time. 
The precise functionality that we want the timeout to exhibit i^: 

1. Basic behaviour. Assuming Timeout is started at time t, it should generate a 
timeout action at a time t-\- D ii and only if the action good has not already 
occured. Thus, if action timeout occurs, it must occur exactly at time t-\-D 



® Our presentation here is similar to that in 0 
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Fig. 2. Timelock Illustrations 



and if action good occurs, then it must occur at some time from t up to, 
but not including, t + D. Using the terminology of HH this yields a strong 
timeout. A weak timeout would, in contrast, allow a non-deterministic choice 
between the good action and the timeout at time t + D. 

2. Urgency of good action. We also require that if the good action is enabled 
before time t + D then it is taken urgently, i.e. as soon as good is enabled 
it happens. This urgency requirement is akin to the “as soon as possible” 
principle which has been applied in timed process algebra m- 

3. Timelock Free. Finally we want our composed system to be free of timelocks, 
for obvious reasons. 

4. Simple. We also require that the solution is not “prohibitively” complex. 

Notice that in the first two of these requirements, urgency arises in two ways. 
Firstly, we require that timeout is urgent at time t + D and secondly, we require 
that good is urgent as soon as it is enabled. Without the former requirement the 
timeout might fail to fire even though it has expired and without the latter, even 
though the good action might be able to happen it might nonetheless not occur 
and thus, for example, the timeout may expire even though good was possible. 

We also emphasize that although our work here was inspired by that in |E|, it 
is somewhat different. In particular, |0| presents a bounded timeout in a discrete 
time setting, thus, the final time at which the good action can be performed and 
the time of expiry of the Timeout are at different discrete time points. 
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3 Modelling the Bounded Timeout in UPPAAL 

In this section we describe the bounded timeout in UPPAAL. However, our 
discussion is not solely relevant to this notation, and could be extrapolated to 
timed automata notations in general. 

Basic Formulation. We begin by considering the Timeout shown in figure 0 
This process realises the first requirement that we identified for modelling the 
bounded timeout - good is offered at all times in which t<D. Then timeout 
is performed when t==D, in which case the system passes into state a2 which 
plays the role of an error state. Importantly, the guard (t<=D) forces the required 
urgency on the timeout action. Thus, if good has not happened earlier, timeout 
must happen when t==D. Furthermore, it is easy to see that this is indeed a strong 
timeout - its behaviour is deterministic when t==D. 




Fig. 3. An UPPAAL Automaton for Timeoutl 



However on its own, this automaton is not sufficient since nothing forces 
the good action to be taken if it can be. This was our second requirement. For 
example, consider Component 1 shown in figure 0 which will perform an internal 
action tar@ at some time r<=C and then offer the good action. The internal 
action can be viewed as modelling some internal computation by Component 1. 
The completion of which is signalled by offering good ! . Now if we put Timeoutl 
and Component 1 in parallel then even if good could occur while t<D, it might 
not be taken. Thus, a possible trace of the system: 

I I <Timeoutl ,Componentl> 

is, (tau, a;i) (timeout, 0 : 2 ) where, Si < C, Xi < D and X2 = D. 

^ In fact, internal transitions are left unlabelled in UPPAAL, however, we abuse no- 
tation in order that we can refer to the transition. 
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Fig. 4. UPPAAL Automata for Component 1 and Component2 



Thus, we need some way to make good urgent. The standard approach is 
to enforce urgency in the component. For example, we could use Component2 
shown in figure 0 This automaton will perform the internal action as before and 
then it must immediately perform the good action. 

Now the problem with the composition: 

I I <Timeoutl ,Component2> 

is the relative values of D and C. In particular, if C is larger than D then this 
system can time-block in the following way:- 

1. the timeout could fire when t==D; 

2. then if tau happens when r==C say, good! will become urgent, however 
it cannot be performed since Timeoutl is no longer offering it, causing a 
timelock. Component2 will not let time pass until good is performed, but 
good cannot be performed because of a mis-matched synchronisation. 

We would argue that this is a big problem. In particular, it is not generally 
possible to ensure that C is less than D since our component behaviour would 
typically be embedded in the complex functioning of a complete system. In 
fact, writing C as we have done, abstracts from a likely multitude of complexity 
and deriving such a value from a system would typically require analysis of 
many components of the complete system, some of which might be time non- 
deterministic at the level of abstraction being considered. 

Furthermore, in some situations we might actually be interested in analysing 
what happens if the good action arrives after the timeout has fired. Consider, 
for example, that our timeout behaviour is being used to wait for an acknowl- 
edgement in a sender process. The component performing good after timeout 
has fired corresponds to the acknowledgement arriving after the timeout has 



342 



Howard Bowman 



expired, which is of course a possible scenario in practical analysis of communi- 
cation protocols. 

The problem with our I I <Timeoutl ,Component2> solution is that it does not 
enable us to analysis this situation, rather the system timelocks when Component2 
forces the good action to happen. Unfortunately, as mere mortals, we are unable 
to analyse systems after the end of time! 




Fig. 5. An UPPAAL Automaton for Timeout2 



One way to avoid this timelock is to add “escape” transitions in the timeout. 
For example, consider the timeout behaviour encapsulated by Timeout2. Now 
the composition, 

I I <Timeout2,Component2> 

cannot block time. However, this is not a satisfactory solution since rather 
than Timeout2 just evolving to a single deadlock state, a2, after performing 
timeout, it could evolve to a complex behaviour; of course in practice it is 
almost certain to do this. However then, escape transitions would have to be 
scattered throughout the complex behaviour. This would generate significant 
specification clutter, which would be compounded if the system contained more 
than one timeout. 

The consequences become particularly severe if the timeout is enclosed in 
some repetitive behaviour, e.g. see figureB This is because, since no assumptions 
can be made about the time at which the component will want to perform 
the good action, escape transitions on good will have to be added at aO, a2, 
bO, bl (and actually al as well). Thus, firstly, the behaviour prior to reaching 
the timeout has been altered, i.e. escape transitions must be added at bO and 
secondly, it is unclear how many escape transitions need to be added to each 
node in the loop, since state a2 may be reached many times before the first good 
escape transition is performed. 

Urgent Channels. UPPAAL also contains the concept of an urgent channel. 
The specifier is allowed to denote a particular channel as urgent, which means 
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Fig. 6. Timeout2 in a repetitive context 



that as soon as synchronisation on that channel can take place, it does. However, 
UPPAAL restricts the use of such urgent channels. In particular, an urgent 
transition can only have the guard true. 

Intuitively, urgent channels seem to be what we require in order to avoid 
enforcing urgency in the component process. In particular, they enforce urgency 
in a “global” manner, rather than requiring it to be enforced in the component 
process. However, it turns out that the restriction on guarding of urgent channels 
that UPPAAL imposes prevents derivation of a suitable solution, see 0 which 
investigates possible solutions with urgent channels which were inspired by the 
solutions presented in p. 

In summary then, although we do not have a formal proof that a completely 
satisfactory UPPAAL description of the timeout cannot be found, we postulate 
that if it is possible, the complexity inherent in the solution would be prohibitive. 



4 Timed Automata with Deadlines 

A more radical approach to realising a satisfactory bounded timeout is to con- 
sider the Timed Automata with Deadlines (TAD) framework developed by Bornot 
et al PI El The reason for selecting this model is that it is argued that it has 
very nice properties with regard to time progress and timelocks. In particular, 
the following property holds. 



344 



Howard Bowman 



a state cannot be reached in which neither action or time passing tran- 
sitions can be performed. 

This property is referred to as time reactivity and since such situations (as 
opposed to zeno timelocks) arise through mismatched parallel compositions, it 
ensures freedom from composition timelocks. 

Basic Framework. For a full introduction to TADs, we refer the interested 
reader to here we highlight the main principles: 

— Deadlines on Transitions. Rather than placing invariants on states, deadlines 
are associated with transitions. Transitions are annotated with 4-tuples: 

(a,g,d,r) 

where a is the transition label, e.g. good; g is the guard, e.g. t<=D; d is the 
deadline, e.g. t==D; and r is the reset set, e.g. t:=0. a, g and r are famil- 
iar from standard timed automata and the deadline is new. Conceptually, 
the guard states when a transition is enabled, i.e. may be taken; while the 
deadline states when it must be taken and taken immediately. 

It is also assumed that the constraint. 



holds, which ensures that if a transition is forced to happen it is also able 
to. Clearly, if this constraint did not hold then we could obtain timelocks 
because a transition is forced to happen, but it is not enabled. 

Since we have deadlines on transitions there is no need for invariants on 
states. Thus, they are not included in the framework. 

— (Timewise) Priorities. By restricting guards and deadlines in choice con- 
texts, prioritised choice can be expressed. For example, if we have two tran- 
sitions: 



bl = (al, gl, dl, rl) and b2 = (a2, g2, d2, r2) 



(a1,g1’,dT,r1) 




(a2,g2,d2,r2) 



Fig. 7. A Prioritised Choice 



then when placing them in a choice context we can give b2 priority over bl 
by restricting the guards and deadlines of bl, see figured d considers a 
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variety of priority operators, which ensure that if the higher priority action 
will eventually be enabled within a particular period of time then it takes 
precedence over competing actions. These different priority mechanisms are 
obtained by including timed temporal operators in the restricted guards and 
deadlines. The extreme example of which is to enforce the following restricted 
guard and deadline: 

gl' = gl A n^g2 and dl' = dl A gl' 

which ensures that bl is only enabled if gl holds and there is no point in the 
future at which g2 will hold. 

— Parallel Composition with Escape Transitions. The TADs framework em- 
ploys a different parallel composition operator to that arising in standard 
timed automata. The key idea is that of an escape transition. These are 
the local transitions of automata components that are combined when gen- 
erating a synchronisation transition. Thus, not only are synchronisations 
included, but component transitions of the synchronisation are as well. The 
timewise priority mechanism is then used to give the synchronisation tran- 
sition highest priority. Intuitively, the escape transitions can only happen if 
the synchronisation transition will never be enabled. We will illustrate this 
aspect of TADs shortly. 

— Synchronisation Strategies. |31 also consider a number of different synchro- 
nisation strategies, but these are not relevant to our discussion. In terms of 
3 we only consider AND synchronisation. 

In fact, in addition to ensuring time reactivity, the TADs framework limits 
the occurrence of local deadlocks. Specifically, the escape transitions allow the 
components of a parallel composition to escape a potential local deadlock by 
evolving locally. Associated with such avoidance of local deadlocks is the en- 
forcement of maximal progres^ which exactly requires that if a synchronisation 
is possible, it is always taken in preference to a corresponding escape transition. 

Basic Definitions. We now briefly review the definition of timed automata 
with deadlines. Also, in order to preserve some continuity through the paper we 
continue to use the UPPAAL synchronisation notation even though it is different 
to that used in 0. 

An arbitrary element of A, the set of TADs, has the form: 



(L,lo,T) 



where, L is a finite set of locations; Iq is the start location] and 

— T C L X CC X CC X A+ X P(C) X L is a transition relation. A typical element 
of which is, (^i, g, d, a, r, Z 2 ), where h,l 2 € L are automata locations; g G CC 

® Note, the term is used in a related but somewhat different way in the timed process 
algebra setting m- 
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is a guard; d G CC is a deadline; a G A~^ labels the transition; and r G P(C) 
is a reset set. (Zi, g, d, a, r, I 2 ) G T is typically written, 



In addition, we will use the function: 

eB{l) = {{b,g)\3l' . I a,d,b,r, i' ^ b & B} 



Standard TADs. We will introduce a number of different TADs approaches in 
this paper. These are distinguished by their rules of parallel composition. Here 
we consider the basic approach, as introduced in HB], which we call standard 
TADs. A TADs expansion theorem for deriving the product behaviour from a 
parallel composition is given in Here we give an equivalent inference rule 
definition for our state vector notation:- 



{Rl) 



Qi ,dj ,a?^ri 
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(R2) 



g.,d,a,r 

g.,d,a,r 



h a & A^ Ufcg(|i ^{g}(Zfc) — 

m/h] 



where 1 < i < |f|. (HI) generates synchronisation and escape transitions with 
the constrained guards and deadlines ensuring that synchronisation has priority 
in the required manner. (R2) is the interleaving rule, which is straightforward 
apart from the second condition which ensures that transitions on incomplete 
actions are only generated by this rule if synchronisation, and hence rule (Rl), 
is not possible. 

As an illustration of these inference rules consider I |<A1,A2> where A1 and 
A2 are shown in figure El The unreduced composition arising from directly ap- 
plying the inference rules is shown in figure Elja) (□ is denoted [] and ^ is 
denoted ~) and figure E^b) depicts the resulting composed TAD when guards 
and deadlines have been reduced by expanding out temporal operators and ap- 
plying propositional logic. In addition, transitions with unfulfillable guards, e.g. 
false, have been removed. 



Modelling Timeouts without Timelocks 



347 





Fig. 8. TADs A1 and A2 





Fig. 9. Unreduced and reduced composition of A1 and A2 



We can observe the following:- 

1. In figure El a) the transition coming from sltl labelled a is the synchroni- 
sation transition. 

2. In figure|3a) the two transitions coming from sltl labelled a? and a! re- 
spectively, are the escape transitions. The first arises from automaton A1 
and the second from automaton A2. The guards of these escape transitions 
ensure that they can only fire if the synchronisation will never in the fu- 
ture be possible. Thus, synchronisation transitions have priority over escape 
transitions. 

3. Figure m shows that since the synchronisation transition inherits the 
guards of a? from Al, no escape transition on a? is possible. If sltl is 
entered with t>2 then the escape transition on a! can be taken, enabling A2 
to escape its local deadlock. 

Bounded Timeout in Standard TADs. Now we reformulate our bounded 
timeout in standard TADs. The component that we consider is Components and 
the timeout is Timeout4 both shown in figure fTOl 
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Fig. 10. A TAD for Timeout4 and Components 



So, Components behaves similarly to Component2 except the good ! transition 
is not urgent, i.e. the good transition is never forced to happer|j. In the termi- 
nology of PI, such transitions are called lazy. In contrast, all the transitions in 
Timeout4 are eager P|, since their guard and deadline are the same. This implies 
that as soon as the transition can happen it will happen. 

Now by applying the above inference rules and removing impossible transi- 
tions, the composite automaton shown in figure 1771 results. The full version of 
this paper p| presents the intermediate steps required to derive this composition. 

If we first focus on state aO bl then we can see that this composite behaviour 
gives priority to the synchronisation between good? and good ! which is indicated 
by the transition labelled good. Thus, while t<D this is the only transition that 
can fire (notice r==0 automatically when entering state aObl) and furthermore 
it is eager. 

Also, if state aObl is entered with t==D then timeout is urgent. Furthermore, 
from this state the action good ! can happen (but lazily) either at time D or 
later. This is the escape transition, which allows Components to move out of 
state bl. Remember the timelock that we obtained previously arose because the 
component could not exit the state where it wished to perform goodlQ. 

This solution seems to fulfil our requirements - it is a strong timeout, ur- 
gency is enforced as required on both timeout and good and the solution is 
timelock free. However, there are some peculiarities with the resulting compos- 
ite behaviour. Consider for example, the transition from aObO labelled good?. 
This represents the timeout performing its good escape transition. However, con- 

® We prefer to enforce the urgency of good in the timeout because in some of our case 
studies, e.g. (0|, there are situations in which enforcing the urgency of good on the 
system side can cause problems, since nothing ensures that the timeout is ready to 
synchronise on the good exactly when it is offered. In order to avoid this possibility 
we require the system to passively offer its action and thus, wait until the timeout 
is ready to receive it. 

^ Actually, the situation is not as severe here since good! is lazy. 
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Fig. 11. I I <Timeout4,Component3> in standard TADs 



ceptually it is being performed too early - before the synchronisation on good is 
even offered. In fact, if aO bO is entered with t==0, which will almost certainly be 
the case, then good? will almost always be selected since it is an eager transition. 
In response to this observation we consider alternative TADs formulations in the 
next section. 



5 Alternative TAD Formulations 

We consider two alternative TAD formulation^ actually considers a third 
formulation, but this turns out to be unsatisfactory. Both satisfy the require- 
ments that we identified in the introduction for our bounded timeout. Thus, in 
particular, they are both time reactive. However, the solutions vary in the extent 
to which they limit local deadlocks. 

5.1 Sparse Timed Automata with Deadlines 

This is a minimal TADs approach, in which we do not generate any escape 
transitions. Furthermore, since escape transitions are not generated, we do not 
have to enforce any priority between the synchronisation and escape transitions. 

® We still call these timed automata with deadlines, because the basic principles, as 
concieved by Bornot et al PIB], still apply, i.e. placing deadlines on transitions and 
using prioritised choice. 



350 



Howard Bowman 



With sparse TADs the following parallel composition rules are used: 



a?,gi ,di ,Vi 



]'■ 1 
to 



a,g' ,d' ,riUrj 



a',gj,dj,rj ^ p 

5? 






aeA 



where 1 <i,j < |u|, i ^ j, g' = Qi /\ gj and d! = g' f\ {di V dj). 

These rules prevent uncompleted actions from arising in the composite be- 
haviour; they only arise in the generation of completed actions, while completed 
actions offered by components of the parallel composition can be performed in- 
dependently. This definition has the same spirit as the normal UPPAAL rules 
of parallel composition. The difference being that here we have deadlines which 
we constrain during composition to preserve the property d ^ g. It is straight- 
forward to see that as long as this property holds, we will have time-reactivity. 

Let us consider once again the behaviour, 

I I <Timeout4,Component3> 



which is the network we were focussing on in the previous section. Now with 
our new parallel composition rules, we obtain the composite behaviour shown in 
figure El This is an interesting and very reasonable solution. Firstly, it meets all 




Fig. 12. I I <Timeout4,Component3> in Sparse TADs 



the requirements identified at the start of this paper for our bounded timeout. 
Thus, in particular, it is time-reactive. However, it makes no effort to limit 
local deadlocks, so communication mis-matches yield local deadlocks rather than 
timelocks. 
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5.2 TADs with Minimal Priority Escape Transitions 

The idea here is to ensure maximal progress as standard TADs do, but rather 
than just giving escape transitions lower priority than their corresponding syn- 
chronisation, we also give them lower priority than other completed transitions. 
Thus, a component can only perform an escape transition if the component will 
never be able to perform a completed transition. 

The parallel composition rules are: 



(Rl) 



1 a'!,gi,di,ri , ,/ , 



a',9j,dj,rj 



V. 



a,5 ,'riUr’j 



\v[VJkX/l,] 



where, l<i,j <\v\,i^ j, g' = gi A g^, d' = g' A {di V dj). and. 



(i?2) 



hi 

lit' 



a,q,d,r . // 
a,g,d,r \ 



a G A 
v[l'i/k] 



{R3) 



hi 

Nv 



a,g,d,r . // 

n j// 

a,g ,d ,r 



aG A 

\\v[K/h] 



where, 1 < i < |u| and. 



g" = g f\ , ^ , , ^^g' A 

» ^ (b, g') e » 

ib.gi)^e^(ii) j e ({ 1 ..M} - {i}) (b, 92) 

d" = d A g” 



Rl is the normal synchronisation rule; R2 defines interleaving of completed 
transitions; and R3 defines interleaving of incomplete, i.e. escape, transitions. In 
this final rule, g” holds when, 

1. g holds; 

2. it is not the case that an already completed transition from li could eventu- 
ally become enabled; and 

3. it is not the case that an incomplete transition (including a itself) offered at 
state li could eventually be completed. 

Applying these rules to the composition: 

I I <Timeout4,Component3> 

and removing impossible transitions, see 0 for a full presentation, yields the 
composition shown in figure 1 1 31 This solution removes the excessively early es- 
cape transition from aObO, but preserves all other transitions. 



6 Discussion and Conclnsions 

We failed to find a fully satisfactory UPPAAL specification of a bounded timeout. 
In response, we presented three different TADs solutions - standard TADs, sparse 
TADs, and TADs with minimal priority escape transitions. The latter two of 



352 



Howard Bowman 




Fig. 13. I I <Timeout4,Component3> in TADs with minimum priority escape 
transitions 



which are new to this papei0. All three meet all the requirements we identified 
at the start of the paper for our timeout. However, our preference is for the 
2nd and 3rd solutions. The 2nd is interesting because it gives a timelock free 
solution but does not seek to minimise local deadlocks, while the 3rd adds escape 
transitions to limit such local deadlocks. 

It is interesting to consider a specific timeout example. In the same way as 
earlier in the paper, we consider the implications if we view the good action as 
the passing of an acknowledgment from the medium to a waiting sender process. 
The situation that the component wishes to perform good after the timeout has 
fired corresponds to the medium delivering the acknowledgment too late. The 
two solutions handle this situation differently. 

With the sparse TADs solution, a local deadlock is generated. Conceptually, 
this indicates that the medium is prevented from delivering the acknowledge- 
ment. This is in fact the normal manner in which mis-matched communications 
are handled in untimed systems - local deadlocks result. In contrast, with TADs 
with minimal priority escape transitions the late delivery of the acknowledge- 
ment yields a local transition in the medium, which could be viewed as the 
acknowledgement packet being consumed/dropped. This avoids the local dead- 



® In particular, the stijff parallel composition of ini which seem related to our sparse 
TADS are in fact rather different since they do not ensure that deadlines imply 
guards when generating the product. Thus, they do not ensure time reactivity. 
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lock and allows the system to proceed. Choosing between these two should be 
made according to the application domain under consideration. 
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